Edit tour

Windows Analysis Report
llcubnch6T

Overview

General Information

Sample Name:	llcubnch6T (renamed file extension from none to exe)
Analysis ID:	679479
MD5:	44e407b3de4a9865ab747bdca810b0b9
SHA1:	6eb199e6837432d8acb98c03b22277f340726372
SHA256:	da6abb6f3aae250d50ed09b6eacc267c33e50895e3ebd7e6ba800ab018351ec5
Tags:	32exetrojan
Infos:

Detection

AsyncRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Yara detected AsyncRAT

Multi AV Scanner detection for dropped file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Yara detected Generic Downloader

Machine Learning detection for dropped file

Adds a directory exclusion to Windows Defender

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

llcubnch6T.exe (PID: 5324 cmdline: "C:\Users\user\Desktop\llcubnch6T.exe" MD5: 44E407B3DE4A9865AB747BDCA810B0B9)

powershell.exe (PID: 5040 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RhFYnHFgJ.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 5308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 6132 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RhFYnHFgJ" /XML "C:\Users\user\AppData\Local\Temp\tmp95A0.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 1672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

llcubnch6T.exe (PID: 3720 cmdline: C:\Users\user\Desktop\llcubnch6T.exe MD5: 44E407B3DE4A9865AB747BDCA810B0B9)

cleanup

Malware Configuration

Threatname: AsyncRAT

{"Server": "91.193.75.135", "Ports": "3030", "Version": "0.5.7B", "Autorun": "false", "Install_Folder": "%AppData%"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.418726957.0000000003063000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000009.00000002.630822289.0000000003051000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x140ef:$x1: AsyncRAT 0x1412d:$x1: AsyncRAT
00000009.00000000.410857927.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000009.00000000.410857927.0000000000402000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa0d9:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000009.00000002.635757563.00000000055A6000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8743:$x1: AsyncRAT 0x8781:$x1: AsyncRAT
00000000.00000002.419146088.00000000030EE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000002.419146088.00000000030EE000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x19dfd:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x27101:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x356e1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: llcubnch6T.exe PID: 5324	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: llcubnch6T.exe PID: 5324	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: llcubnch6T.exe PID: 3720	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: llcubnch6T.exe PID: 3720	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x23a5f:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: llcubnch6T.exe PID: 3720	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x509f:$x1: AsyncRAT 0x50d1:$x1: AsyncRAT 0x24cf7:$x1: AsyncRAT 0x24d29:$x1: AsyncRAT 0x23b25:$s6: VirtualBox 0x23ad8:$s8: Win32_ComputerSystem
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.llcubnch6T.exe.30fdb24.6.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.llcubnch6T.exe.30fdb24.6.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x84d9:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.llcubnch6T.exe.310ae28.5.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.llcubnch6T.exe.310ae28.5.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x84d9:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.llcubnch6T.exe.30fdb24.6.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.llcubnch6T.exe.30fdb24.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.llcubnch6T.exe.30fdb24.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa2d9:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x175dd:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x25bbd:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
9.0.llcubnch6T.exe.400000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
9.0.llcubnch6T.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa2d9:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.llcubnch6T.exe.30ee614.4.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.llcubnch6T.exe.30ee614.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.llcubnch6T.exe.30ee614.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x197e9:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x26aed:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x350cd:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.llcubnch6T.exe.310ae28.5.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.llcubnch6T.exe.310ae28.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.llcubnch6T.exe.310ae28.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa2d9:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x188b9:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Click to see the 10 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: llcubnch6T.exe

Virustotal: Detection: 53%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\RhFYnHFgJ.exe

ReversingLabs: Detection: 53%

Machine Learning detection for sample

Source: llcubnch6T.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\RhFYnHFgJ.exe

Joe Sandbox ML: detected

Source: 00000000.00000002.419146088.00000000030EE000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: AsyncRAT {"Server": "91.193.75.135", "Ports": "3030", "Version": "0.5.7B", "Autorun": "false", "Install_Folder": "%AppData%"}

Source: llcubnch6T.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: llcubnch6T.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\llcubnch6T.exe

Code function: 4x nop then jmp 010B5A17h

0_2_010B5798

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.llcubnch6T.exe.30fdb24.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.llcubnch6T.exe.30ee614.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.llcubnch6T.exe.310ae28.5.raw.unpack, type: UNPACKEDPE

Source: Joe Sandbox View

IP Address: 91.193.75.135 91.193.75.135

Source: global traffic

TCP traffic: 192.168.2.6:49765 -> 91.193.75.135:3030

Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135
Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135
Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135
Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135
Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135
Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135
Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135
Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135
Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135
Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135
Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135
Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135
Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135
Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135
Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135
Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135
Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135
Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135
Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135
Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135
Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135
Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135
Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135
Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135
Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135
Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135
Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135
Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135
Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135
Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135
Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135
Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135
Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135
Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135
Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135
Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135
Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135
Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135
Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135
Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135
Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135
Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135
Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135
Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135
Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135
Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135
Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135
Source: unknown	TCP traffic detected without corresponding DNS query: 91.193.75.135

Source: llcubnch6T.exe, 00000000.00000003.370486654.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.370416567.0000000005F77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://en.w
Source: llcubnch6T.exe, 00000000.00000003.369532282.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.369672069.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.369439345.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.369755917.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.369565571.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: llcubnch6T.exe, 00000000.00000003.369532282.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.369344253.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.369439345.0000000005F73000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.comi;
Source: llcubnch6T.exe, 00000000.00000003.369532282.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.369672069.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.369755917.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.369565571.0000000005F73000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.comz
Source: llcubnch6T.exe, 00000000.00000002.418726957.0000000003063000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: llcubnch6T.exe, 00000000.00000003.373444862.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.373397776.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.373494865.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: llcubnch6T.exe, 00000000.00000003.376677530.0000000005F74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: llcubnch6T.exe, 00000000.00000003.374008369.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.374159108.0000000005F79000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.374208532.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.373945445.0000000005F78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comadD
Source: llcubnch6T.exe, 00000000.00000003.374008369.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.374159108.0000000005F79000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.374208532.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.373945445.0000000005F78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comic
Source: llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: llcubnch6T.exe, 00000000.00000003.379280133.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381656755.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381059048.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.378729506.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381273773.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.386539619.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379770002.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379922349.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379140386.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.378822721.0000000005F73000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: llcubnch6T.exe, 00000000.00000003.379622921.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379851679.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380056944.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379770002.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: llcubnch6T.exe, 00000000.00000003.380490931.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380611387.0000000005F70000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380236923.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380325146.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380749411.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380956167.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381059048.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381273773.0000000005F74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: llcubnch6T.exe, 00000000.00000003.381774652.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380749411.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381516393.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.382095894.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380956167.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381656755.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381059048.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381273773.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381931622.0000000005F74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comL.TTF
Source: llcubnch6T.exe, 00000000.00000003.380490931.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380325146.0000000005F73000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.coma;
Source: llcubnch6T.exe, 00000000.00000003.380611387.0000000005F70000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380749411.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381516393.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380956167.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381059048.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381273773.0000000005F74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comalic
Source: llcubnch6T.exe, 00000000.00000003.386884447.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.386656862.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.413372395.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.386539619.0000000005F74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comav;
Source: llcubnch6T.exe, 00000000.00000003.386884447.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.386656862.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.386539619.0000000005F74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comceta
Source: llcubnch6T.exe, 00000000.00000003.386884447.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.386656862.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.413372395.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.386539619.0000000005F74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comcetoS;
Source: llcubnch6T.exe, 00000000.00000003.379374870.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379622921.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379851679.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379548812.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379280133.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379770002.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379922349.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379140386.0000000005F73000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comd
Source: llcubnch6T.exe, 00000000.00000003.379374870.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379622921.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379851679.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379548812.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379280133.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379770002.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379922349.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379140386.0000000005F73000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.come.com
Source: llcubnch6T.exe, 00000000.00000003.379374870.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379548812.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379280133.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379140386.0000000005F73000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comepko
Source: llcubnch6T.exe, 00000000.00000003.379374870.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379280133.0000000005F73000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comion
Source: llcubnch6T.exe, 00000000.00000003.380490931.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380611387.0000000005F70000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380236923.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380325146.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380749411.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381516393.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380956167.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381059048.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381273773.0000000005F74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comituFv;
Source: llcubnch6T.exe, 00000000.00000003.378729506.0000000005F73000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comnc.Z;
Source: llcubnch6T.exe, 00000000.00000003.379622921.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379851679.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380056944.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379770002.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379922349.0000000005F73000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comonydZ;
Source: llcubnch6T.exe, 00000000.00000003.380490931.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380611387.0000000005F70000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380325146.0000000005F73000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comsiv9
Source: llcubnch6T.exe, 00000000.00000003.379851679.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380056944.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379770002.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379922349.0000000005F73000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comueta
Source: llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: llcubnch6T.exe, 00000000.00000003.372828062.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372581826.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372713612.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372553600.0000000005F78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: llcubnch6T.exe, 00000000.00000003.372828062.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372078011.0000000005F73000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: llcubnch6T.exe, 00000000.00000003.372183289.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372085870.0000000005F78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/aj#W
Source: llcubnch6T.exe, 00000000.00000003.372828062.0000000005F71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/ar
Source: llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: llcubnch6T.exe, 00000000.00000003.373045911.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372828062.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372992295.0000000005F78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnMic
Source: llcubnch6T.exe, 00000000.00000003.373045911.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372828062.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.373098086.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372992295.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372713612.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.373141901.0000000005F78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnl-g
Source: llcubnch6T.exe, 00000000.00000003.373045911.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372828062.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.373098086.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372992295.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.373257248.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372713612.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.373141901.0000000005F78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cns
Source: llcubnch6T.exe, 00000000.00000003.382515419.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.383198382.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.383615585.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.382620508.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.383062477.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.383441888.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.383716381.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.382877880.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.382700986.0000000005F74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: llcubnch6T.exe, 00000000.00000003.382515419.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.382620508.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.382700986.0000000005F74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/Z;
Source: llcubnch6T.exe, 00000000.00000003.382620508.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: llcubnch6T.exe, 00000000.00000003.371976372.0000000005F70000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: llcubnch6T.exe, 00000000.00000003.371976372.0000000005F70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.krtp
Source: llcubnch6T.exe, 00000000.00000003.377084125.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376932034.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.377017050.0000000005F73000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.itcfonts.
Source: llcubnch6T.exe, 00000000.00000003.376677530.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.377578464.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376099331.0000000005F71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: llcubnch6T.exe, 00000000.00000003.376766485.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376932034.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376589985.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376392718.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376159863.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376612294.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376304898.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376546388.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376677530.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376099331.0000000005F71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/E;
Source: llcubnch6T.exe, 00000000.00000003.376589985.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376392718.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376304898.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376546388.0000000005F73000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0-sa;
Source: llcubnch6T.exe, 00000000.00000003.376589985.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376392718.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376159863.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376612294.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376304898.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376546388.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376099331.0000000005F71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0W
Source: llcubnch6T.exe, 00000000.00000003.375863348.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.375712201.0000000005F73000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/de-d
Source: llcubnch6T.exe, 00000000.00000003.376766485.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376932034.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376589985.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376612294.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376546388.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376677530.0000000005F74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/h;
Source: llcubnch6T.exe, 00000000.00000003.376099331.0000000005F71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: llcubnch6T.exe, 00000000.00000003.375863348.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.375712201.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.375949766.0000000005F73000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/knl
Source: llcubnch6T.exe, 00000000.00000003.376392718.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376159863.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376304898.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376048892.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.375949766.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376099331.0000000005F71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/lth;
Source: llcubnch6T.exe, 00000000.00000003.376589985.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376392718.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376612294.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376304898.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376546388.0000000005F73000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/oi
Source: llcubnch6T.exe, 00000000.00000003.376048892.0000000005F72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/u-hE;
Source: llcubnch6T.exe, 00000000.00000003.376589985.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376392718.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376159863.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376304898.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376048892.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376546388.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.375949766.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376099331.0000000005F71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/v;
Source: llcubnch6T.exe, 00000000.00000003.367498032.0000000005F52000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: llcubnch6T.exe, 00000000.00000003.367498032.0000000005F52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com2
Source: llcubnch6T.exe, 00000000.00000003.367498032.0000000005F52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.come
Source: llcubnch6T.exe, 00000000.00000003.377084125.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376766485.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376932034.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.377017050.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.377194158.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376677530.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: llcubnch6T.exe, 00000000.00000003.376677530.0000000005F74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com0
Source: llcubnch6T.exe, 00000000.00000003.371976372.0000000005F70000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372078011.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372146838.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.371863268.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: llcubnch6T.exe, 00000000.00000003.371976372.0000000005F70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kront
Source: llcubnch6T.exe, 00000000.00000003.371976372.0000000005F70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.krtp
Source: llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: llcubnch6T.exe, 00000000.00000003.374266055.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.374439978.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.374621756.0000000005F73000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.comslnt
Source: llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: llcubnch6T.exe, 00000000.00000003.378274559.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.378415798.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380956167.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381059048.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.378491515.0000000005F72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.de
Source: llcubnch6T.exe, 00000000.00000003.378274559.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.378415798.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.378491515.0000000005F72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deC
Source: llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: llcubnch6T.exe, 00000000.00000003.380956167.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381059048.0000000005F73000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deFT
Source: llcubnch6T.exe, 00000000.00000003.378274559.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.378415798.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.378491515.0000000005F72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deo$
Source: llcubnch6T.exe, 00000000.00000003.373754624.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: llcubnch6T.exe, 00000000.00000003.373754624.0000000005F78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnarS/
Source: llcubnch6T.exe, 00000000.00000003.373754624.0000000005F78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cno.
Source: llcubnch6T.exe, 00000000.00000003.373754624.0000000005F78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cno.f

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.llcubnch6T.exe.30fdb24.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.llcubnch6T.exe.310ae28.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.llcubnch6T.exe.30fdb24.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.llcubnch6T.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.llcubnch6T.exe.30ee614.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.llcubnch6T.exe.310ae28.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000000.410857927.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.419146088.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: llcubnch6T.exe PID: 5324, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: llcubnch6T.exe PID: 3720, type: MEMORYSTR

Source: llcubnch6T.exe, 00000000.00000002.414992989.000000000123B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.llcubnch6T.exe.30fdb24.6.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.llcubnch6T.exe.310ae28.5.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.llcubnch6T.exe.30fdb24.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 9.0.llcubnch6T.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.llcubnch6T.exe.30ee614.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.llcubnch6T.exe.310ae28.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000009.00000002.630822289.0000000003051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000009.00000000.410857927.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000009.00000002.635757563.00000000055A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.419146088.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: llcubnch6T.exe PID: 3720, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: llcubnch6T.exe PID: 3720, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: llcubnch6T.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.llcubnch6T.exe.30fdb24.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.llcubnch6T.exe.310ae28.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.llcubnch6T.exe.30fdb24.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 9.0.llcubnch6T.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.llcubnch6T.exe.30ee614.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.llcubnch6T.exe.310ae28.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000009.00000002.630822289.0000000003051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000009.00000000.410857927.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000009.00000002.635757563.00000000055A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.419146088.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: llcubnch6T.exe PID: 3720, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: llcubnch6T.exe PID: 3720, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: C:\Users\user\Desktop\llcubnch6T.exe

Code function: 0_2_010BDF0C

0_2_010BDF0C

Source: llcubnch6T.exe, 00000000.00000002.427448862.0000000005F10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamePlates.dll4 vs llcubnch6T.exe
Source: llcubnch6T.exe, 00000000.00000002.419675313.0000000004689000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSchedulingClerk.dll. vs llcubnch6T.exe
Source: llcubnch6T.exe, 00000000.00000002.416245004.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFroor.dll4 vs llcubnch6T.exe
Source: llcubnch6T.exe, 00000000.00000002.431213739.00000000060E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameFroor.dll4 vs llcubnch6T.exe
Source: llcubnch6T.exe, 00000000.00000003.387819597.00000000012BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePlates.dll4 vs llcubnch6T.exe
Source: llcubnch6T.exe, 00000000.00000002.419146088.00000000030EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename" vs llcubnch6T.exe
Source: llcubnch6T.exe, 00000000.00000002.433660916.0000000008030000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSchedulingClerk.dll. vs llcubnch6T.exe
Source: llcubnch6T.exe, 00000009.00000000.411378615.000000000040E000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename" vs llcubnch6T.exe
Source: llcubnch6T.exe	Binary or memory string: OriginalFilenameTypeLibVarFl.exe< vs llcubnch6T.exe

Source: llcubnch6T.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: RhFYnHFgJ.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: llcubnch6T.exe

Virustotal: Detection: 53%

Source: C:\Users\user\Desktop\llcubnch6T.exe

File read: C:\Users\user\Desktop\llcubnch6T.exe

Jump to behavior

Source: llcubnch6T.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\llcubnch6T.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\llcubnch6T.exe "C:\Users\user\Desktop\llcubnch6T.exe"
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RhFYnHFgJ.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RhFYnHFgJ" /XML "C:\Users\user\AppData\Local\Temp\tmp95A0.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process created: C:\Users\user\Desktop\llcubnch6T.exe C:\Users\user\Desktop\llcubnch6T.exe
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RhFYnHFgJ.exe	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RhFYnHFgJ" /XML "C:\Users\user\AppData\Local\Temp\tmp95A0.tmp	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process created: C:\Users\user\Desktop\llcubnch6T.exe C:\Users\user\Desktop\llcubnch6T.exe	Jump to behavior

Source: C:\Users\user\Desktop\llcubnch6T.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\llcubnch6T.exe

File created: C:\Users\user\AppData\Roaming\RhFYnHFgJ.exe

Jump to behavior

Source: C:\Users\user\Desktop\llcubnch6T.exe

File created: C:\Users\user\AppData\Local\Temp\tmp95A0.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@9/8@0/1

Source: C:\Users\user\Desktop\llcubnch6T.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: llcubnch6T.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\llcubnch6T.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5308:120:WilError_01
Source: C:\Users\user\Desktop\llcubnch6T.exe	Mutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1672:120:WilError_01

Source: llcubnch6T.exe, Login.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: RhFYnHFgJ.exe.0.dr, Login.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.0.llcubnch6T.exe.a30000.0.unpack, Login.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\llcubnch6T.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: llcubnch6T.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: llcubnch6T.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: llcubnch6T.exe, Login.cs	.Net Code: WaitHandle System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: RhFYnHFgJ.exe.0.dr, Login.cs	.Net Code: WaitHandle System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.llcubnch6T.exe.a30000.0.unpack, Login.cs	.Net Code: WaitHandle System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Source: initial sample	Static PE information: section name: .text entropy: 7.2738007120716635
Source: initial sample	Static PE information: section name: .text entropy: 7.2738007120716635

Source: C:\Users\user\Desktop\llcubnch6T.exe

File created: C:\Users\user\AppData\Roaming\RhFYnHFgJ.exe

Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.llcubnch6T.exe.30fdb24.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.llcubnch6T.exe.310ae28.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.llcubnch6T.exe.30fdb24.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.llcubnch6T.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.llcubnch6T.exe.30ee614.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.llcubnch6T.exe.310ae28.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000000.410857927.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.419146088.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: llcubnch6T.exe PID: 5324, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: llcubnch6T.exe PID: 3720, type: MEMORYSTR

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\llcubnch6T.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RhFYnHFgJ" /XML "C:\Users\user\AppData\Local\Temp\tmp95A0.tmp

Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.418726957.0000000003063000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: llcubnch6T.exe PID: 5324, type: MEMORYSTR

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.llcubnch6T.exe.30fdb24.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.llcubnch6T.exe.310ae28.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.llcubnch6T.exe.30fdb24.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.llcubnch6T.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.llcubnch6T.exe.30ee614.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.llcubnch6T.exe.310ae28.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000000.410857927.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.419146088.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: llcubnch6T.exe PID: 5324, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: llcubnch6T.exe PID: 3720, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: llcubnch6T.exe, 00000000.00000002.418726957.0000000003063000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.419146088.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000009.00000000.410857927.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: llcubnch6T.exe, 00000000.00000002.418726957.0000000003063000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\llcubnch6T.exe TID: 5396	Thread sleep time: -45877s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe TID: 2952	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3716	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe TID: 3772	Thread sleep time: -65000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\llcubnch6T.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\llcubnch6T.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Window / User API: threadDelayed 8958

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\llcubnch6T.exe	Thread delayed: delay time: 45877	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\llcubnch6T.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: llcubnch6T.exe, 00000000.00000002.418726957.0000000003063000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: llcubnch6T.exe, 00000009.00000000.410857927.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: vmware
Source: llcubnch6T.exe, 00000000.00000002.418726957.0000000003063000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: llcubnch6T.exe, 00000009.00000002.635815470.00000000055BA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: llcubnch6T.exe, 00000000.00000002.418726957.0000000003063000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\llcubnch6T.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\llcubnch6T.exe

Memory written: C:\Users\user\Desktop\llcubnch6T.exe base: 400000 value starts with: 4D5A

Jump to behavior

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\llcubnch6T.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RhFYnHFgJ.exe
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RhFYnHFgJ.exe			Jump to behavior

Source: C:\Users\user\Desktop\llcubnch6T.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RhFYnHFgJ.exe	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RhFYnHFgJ" /XML "C:\Users\user\AppData\Local\Temp\tmp95A0.tmp	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Process created: C:\Users\user\Desktop\llcubnch6T.exe C:\Users\user\Desktop\llcubnch6T.exe	Jump to behavior

Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Users\user\Desktop\llcubnch6T.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\llcubnch6T.exe	Queries volume information: C:\Users\user\Desktop\llcubnch6T.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\llcubnch6T.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.llcubnch6T.exe.30fdb24.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.llcubnch6T.exe.310ae28.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.llcubnch6T.exe.30fdb24.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.llcubnch6T.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.llcubnch6T.exe.30ee614.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.llcubnch6T.exe.310ae28.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000000.410857927.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.419146088.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: llcubnch6T.exe PID: 5324, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: llcubnch6T.exe PID: 3720, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Scheduled Task/Job	2 Scheduled Task/Job	111 Process Injection	1 Masquerading	1 Input Capture	21 Security Software Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	2 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	12 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	12 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
llcubnch6T.exe	54%	Virustotal		Browse
llcubnch6T.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\RhFYnHFgJ.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\RhFYnHFgJ.exe	54%	ReversingLabs	ByteCode-MSIL.Trojan.FormBook

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
9.0.llcubnch6T.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1202836		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.jiyu-kobo.co.jp/v;	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com2	0%	URL Reputation	safe
http://www.fontbureau.comonydZ;	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.fontbureau.comituFv;	0%	Avira URL Cloud	safe
http://fontfabrik.comi;	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/E;	0%	Avira URL Cloud	safe
http://www.fontbureau.comceta	0%	URL Reputation	safe
http://www.sandoll.co.kront	0%	Avira URL Cloud	safe
http://www.fontbureau.comepko	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/knl	0%	Avira URL Cloud	safe
http://www.fontbureau.comsiv9	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.zhongyicts.com.cnarS/	0%	Avira URL Cloud	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cnl-g	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0-sa;	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/lth;	0%	Avira URL Cloud	safe
http://fontfabrik.comz	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cns	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0W	0%	Avira URL Cloud	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.itcfonts.	0%	URL Reputation	safe
http://www.urwpp.deFT	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.fontbureau.comnc.Z;	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.sandoll.co.krtp	0%	Avira URL Cloud	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sajatypeworks.come	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.carterandcone.comic	0%	URL Reputation	safe
http://www.founder.com.cn/cnMic	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.fontbureau.comF	0%	URL Reputation	safe
http://www.tiro.comslnt	0%	URL Reputation	safe
http://www.founder.com.cn/cn/ar	0%	Avira URL Cloud	safe
http://www.fontbureau.comueta	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/h;	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/aj#W	0%	Avira URL Cloud	safe
http://www.carterandcone.comadD	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/u-hE;	0%	Avira URL Cloud	safe
http://www.fontbureau.comion	0%	URL Reputation	safe
http://www.fontbureau.comL.TTF	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/oi	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.fontbureau.comd	0%	URL Reputation	safe
http://www.fontbureau.come.com	0%	URL Reputation	safe
http://en.w	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.urwpp.deC	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.sakkal.com0	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.goodfont.co.krtp	0%	Avira URL Cloud	safe
http://www.fontbureau.coma;	0%	Avira URL Cloud	safe
http://www.urwpp.deo$	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.fontbureau.comcetoS;	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cno.	0%	URL Reputation	safe
http://www.fontbureau.comalic	0%	URL Reputation	safe
http://www.fontbureau.comav;	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/Z;	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cno.f	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/de-d	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/v;	llcubnch6T.exe, 00000000.00000003.376589985.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376392718.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376159863.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376304898.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376048892.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376546388.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.375949766.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376099331.0000000005F71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com2	llcubnch6T.exe, 00000000.00000003.367498032.0000000005F52000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comonydZ;	llcubnch6T.exe, 00000000.00000003.379622921.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379851679.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380056944.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379770002.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379922349.0000000005F73000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.founder.com.cn/cn/bThe	llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comituFv;	llcubnch6T.exe, 00000000.00000003.380490931.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380611387.0000000005F70000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380236923.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380325146.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380749411.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381516393.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380956167.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381059048.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381273773.0000000005F74000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://fontfabrik.comi;	llcubnch6T.exe, 00000000.00000003.369532282.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.369344253.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.369439345.0000000005F73000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.tiro.com	llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/E;	llcubnch6T.exe, 00000000.00000003.376766485.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376932034.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376589985.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376392718.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376159863.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376612294.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376304898.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376546388.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376677530.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376099331.0000000005F71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comceta	llcubnch6T.exe, 00000000.00000003.386884447.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.386656862.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.386539619.0000000005F74000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.kront	llcubnch6T.exe, 00000000.00000003.371976372.0000000005F70000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comepko	llcubnch6T.exe, 00000000.00000003.379374870.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379548812.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379280133.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379140386.0000000005F73000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.goodfont.co.kr	llcubnch6T.exe, 00000000.00000003.371976372.0000000005F70000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/knl	llcubnch6T.exe, 00000000.00000003.375863348.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.375712201.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.375949766.0000000005F73000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comsiv9	llcubnch6T.exe, 00000000.00000003.380490931.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380611387.0000000005F70000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380325146.0000000005F73000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	llcubnch6T.exe, 00000000.00000003.367498032.0000000005F52000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	llcubnch6T.exe, 00000000.00000003.382620508.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cnarS/	llcubnch6T.exe, 00000000.00000003.373754624.0000000005F78000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://fontfabrik.com	llcubnch6T.exe, 00000000.00000003.369532282.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.369672069.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.369439345.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.369755917.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.369565571.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnl-g	llcubnch6T.exe, 00000000.00000003.373045911.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372828062.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.373098086.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372992295.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372713612.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.373141901.0000000005F78000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Y0-sa;	llcubnch6T.exe, 00000000.00000003.376589985.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376392718.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376304898.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376546388.0000000005F73000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/lth;	llcubnch6T.exe, 00000000.00000003.376392718.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376159863.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376304898.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376048892.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.375949766.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376099331.0000000005F71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://fontfabrik.comz	llcubnch6T.exe, 00000000.00000003.369532282.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.369672069.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.369755917.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.369565571.0000000005F73000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cns	llcubnch6T.exe, 00000000.00000003.373045911.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372828062.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.373098086.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372992295.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.373257248.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372713612.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.373141901.0000000005F78000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Y0W	llcubnch6T.exe, 00000000.00000003.376589985.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376392718.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376159863.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376612294.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376304898.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376546388.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376099331.0000000005F71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ascendercorp.com/typedesigners.html	llcubnch6T.exe, 00000000.00000003.376677530.0000000005F74000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.itcfonts.	llcubnch6T.exe, 00000000.00000003.377084125.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376932034.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.377017050.0000000005F73000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deFT	llcubnch6T.exe, 00000000.00000003.380956167.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381059048.0000000005F73000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	llcubnch6T.exe, 00000000.00000003.371976372.0000000005F70000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372078011.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372146838.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.371863268.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comnc.Z;	llcubnch6T.exe, 00000000.00000003.378729506.0000000005F73000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.urwpp.deDPlease	llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.krtp	llcubnch6T.exe, 00000000.00000003.371976372.0000000005F70000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.de	llcubnch6T.exe, 00000000.00000003.378274559.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.378415798.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380956167.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381059048.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.378491515.0000000005F72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	llcubnch6T.exe, 00000000.00000003.373754624.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	llcubnch6T.exe, 00000000.00000002.418726957.0000000003063000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.come	llcubnch6T.exe, 00000000.00000003.367498032.0000000005F52000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	llcubnch6T.exe, 00000000.00000003.377084125.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376766485.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376932034.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.377017050.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.377194158.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376677530.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comic	llcubnch6T.exe, 00000000.00000003.374008369.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.374159108.0000000005F79000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.374208532.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.373945445.0000000005F78000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	llcubnch6T.exe, 00000000.00000003.373444862.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.373397776.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.373494865.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	llcubnch6T.exe, 00000000.00000003.379280133.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381656755.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381059048.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.378729506.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381273773.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.386539619.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379770002.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379922349.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379140386.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.378822721.0000000005F73000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cnMic	llcubnch6T.exe, 00000000.00000003.373045911.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372828062.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372992295.0000000005F78000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/	llcubnch6T.exe, 00000000.00000003.382515419.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.383198382.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.383615585.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.382620508.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.383062477.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.383441888.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.383716381.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.382877880.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.382700986.0000000005F74000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comF	llcubnch6T.exe, 00000000.00000003.380490931.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380611387.0000000005F70000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380236923.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380325146.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380749411.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380956167.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381059048.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381273773.0000000005F74000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.comslnt	llcubnch6T.exe, 00000000.00000003.374266055.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.374439978.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.374621756.0000000005F73000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/ar	llcubnch6T.exe, 00000000.00000003.372828062.0000000005F71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comueta	llcubnch6T.exe, 00000000.00000003.379851679.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380056944.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379770002.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379922349.0000000005F73000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/h;	llcubnch6T.exe, 00000000.00000003.376766485.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376932034.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376589985.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376612294.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376546388.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376677530.0000000005F74000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/aj#W	llcubnch6T.exe, 00000000.00000003.372183289.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372085870.0000000005F78000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comadD	llcubnch6T.exe, 00000000.00000003.374008369.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.374159108.0000000005F79000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.374208532.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.373945445.0000000005F78000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/u-hE;	llcubnch6T.exe, 00000000.00000003.376048892.0000000005F72000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comion	llcubnch6T.exe, 00000000.00000003.379374870.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379280133.0000000005F73000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comL.TTF	llcubnch6T.exe, 00000000.00000003.381774652.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380749411.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381516393.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.382095894.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380956167.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381656755.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381059048.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381273773.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381931622.0000000005F74000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/oi	llcubnch6T.exe, 00000000.00000003.376589985.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376392718.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376612294.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376304898.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376546388.0000000005F73000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	llcubnch6T.exe, 00000000.00000003.376099331.0000000005F71000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comd	llcubnch6T.exe, 00000000.00000003.379374870.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379622921.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379851679.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379548812.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379280133.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379770002.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379922349.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379140386.0000000005F73000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.come.com	llcubnch6T.exe, 00000000.00000003.379374870.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379622921.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379851679.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379548812.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379280133.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379770002.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379922349.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379140386.0000000005F73000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://en.w	llcubnch6T.exe, 00000000.00000003.370486654.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.370416567.0000000005F77000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deC	llcubnch6T.exe, 00000000.00000003.378274559.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.378415798.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.378491515.0000000005F72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/	llcubnch6T.exe, 00000000.00000003.372828062.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372078011.0000000005F73000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com0	llcubnch6T.exe, 00000000.00000003.376677530.0000000005F74000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn	llcubnch6T.exe, 00000000.00000003.372828062.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372581826.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372713612.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372553600.0000000005F78000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.goodfont.co.krtp	llcubnch6T.exe, 00000000.00000003.371976372.0000000005F70000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	llcubnch6T.exe, 00000000.00000003.379622921.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379851679.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380056944.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379770002.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.coma;	llcubnch6T.exe, 00000000.00000003.380490931.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380325146.0000000005F73000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.urwpp.deo$	llcubnch6T.exe, 00000000.00000003.378274559.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.378415798.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.378491515.0000000005F72000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.jiyu-kobo.co.jp/	llcubnch6T.exe, 00000000.00000003.376677530.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.377578464.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376099331.0000000005F71000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comcetoS;	llcubnch6T.exe, 00000000.00000003.386884447.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.386656862.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.413372395.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.386539619.0000000005F74000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.zhongyicts.com.cno.	llcubnch6T.exe, 00000000.00000003.373754624.0000000005F78000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comalic	llcubnch6T.exe, 00000000.00000003.380611387.0000000005F70000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380749411.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381516393.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380956167.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381059048.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381273773.0000000005F74000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comav;	llcubnch6T.exe, 00000000.00000003.386884447.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.386656862.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.413372395.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.386539619.0000000005F74000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.galapagosdesign.com/Z;	llcubnch6T.exe, 00000000.00000003.382515419.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.382620508.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.382700986.0000000005F74000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zhongyicts.com.cno.f	llcubnch6T.exe, 00000000.00000003.373754624.0000000005F78000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/de-d	llcubnch6T.exe, 00000000.00000003.375863348.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.375712201.0000000005F73000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
91.193.75.135	unknown	Serbia		209623	DAVID_CRAIGGG	false

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	679479
Start date and time: 05/08/202221:06:11	2022-08-05 21:06:11 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	llcubnch6T (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@9/8@0/1
EGA Information:	Successful, ratio: 50%
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 33 Number of non-executed functions: 1
Cookbook Comments:	Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net
Execution Graph export aborted for target llcubnch6T.exe, PID 3720 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:07:33	API Interceptor	1x Sleep call for process: llcubnch6T.exe modified
21:07:40	API Interceptor	40x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
91.193.75.135	ctf.exe	Get hash	malicious	Browse
	triage_dropped_file.exe	Get hash	malicious	Browse
	2pxF82FZZh.exe	Get hash	malicious	Browse
	ORDER SPECIFICATION.js	Get hash	malicious	Browse
	COMPANY PROFILE.js	Get hash	malicious	Browse
	Qk1i28TfVz.exe	Get hash	malicious	Browse
	ORDER UPDATES-01-02-2022.ihz.exe	Get hash	malicious	Browse
	Dc4FQtO5Sr.exe	Get hash	malicious	Browse
	Sathya Raj-CV.exe	Get hash	malicious	Browse
	Z2S2dzpoGP.exe	Get hash	malicious	Browse
	WSb9Mi1684.exe	Get hash	malicious	Browse
	GWwW938Bot.exe	Get hash	malicious	Browse
	Specification_2022.doc__.rtf	Get hash	malicious	Browse
	Specification_2022.doc	Get hash	malicious	Browse
	swift-copy-TT.exe	Get hash	malicious	Browse
	5309,pdf.exe	Get hash	malicious	Browse
	5309,pdf.exe	Get hash	malicious	Browse
	Confirmation transfer note Mt103-Ref#889278912.exe	Get hash	malicious	Browse
	Dringende RFQ_AP65425652_032421,pdf.exe	Get hash	malicious	Browse
	Confirmation Transfer Note MT103 Ref#58389262.exe	Get hash	malicious	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DAVID_CRAIGGG	u0yd8ViwA4.exe	Get hash	malicious	Browse	185.140.53.61
	Payment Receipt.exe	Get hash	malicious	Browse	185.140.53.61
	augyQqseeo.exe	Get hash	malicious	Browse	185.140.53.61
	SecuriteInfo.com.Variant.Barys.11488.19269.exe	Get hash	malicious	Browse	91.193.75.131
	bDTC.exe	Get hash	malicious	Browse	185.140.53.76
	Payment confirmation.exe	Get hash	malicious	Browse	185.140.53.61
	bDNT.exe	Get hash	malicious	Browse	185.140.53.76
	bDN3.exe	Get hash	malicious	Browse	185.140.53.76
	bDKh.exe	Get hash	malicious	Browse	185.140.53.76
	Invoice.exe	Get hash	malicious	Browse	185.140.53.61
	W6qyjSxlRB.exe	Get hash	malicious	Browse	185.140.53.12
	Proof of Payment.exe	Get hash	malicious	Browse	185.140.53.154
	ProofOfPayment.exe	Get hash	malicious	Browse	185.140.53.154
	Faktura 9382022.vbs	Get hash	malicious	Browse	185.140.53.130
	XmKeaMRPzV.exe	Get hash	malicious	Browse	185.140.53.69
	bDE8.exe	Get hash	malicious	Browse	185.140.53.159
	4RfxmwlHnc.exe	Get hash	malicious	Browse	91.193.75.211
	bDC7.exe	Get hash	malicious	Browse	185.140.53.159
	bDC9.exe	Get hash	malicious	Browse	185.140.53.159
	bDCA.exe	Get hash	malicious	Browse	185.140.53.159

Process:	C:\Users\user\Desktop\llcubnch6T.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1394
Entropy (8bit):	5.340883346054895
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4bE4KnKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84F0:MIHK5HKXE1qHbHKnYHKhQnoPtHoxHhAR
MD5:	B51A52A837298BCF7A6EB58551AEF99C
SHA1:	61EEFCC20AC255B8651769E5C48E27B2A983FC4A
SHA-256:	1D393FBB3CE754EA699462C2778587A7F2451EB23BE2BD5084C95A46B20BE8AF
SHA-512:	138544399787651C847837719606197E539857206CCB271E0F4A86E2017FBADABADF5A235B6F6F1DA8ADE7EF29DBA3115CD1996AD01F92CA30C57D0BF217C11C
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e08

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	22272
Entropy (8bit):	5.600170087985691
Encrypted:	false
SSDEEP:	384:ntCDDq0C6VKa/G/KBJYSB+sjultI+b7Y9g9SJ3xa1BMrm7Z1AV7Dw64I+iyYB:va/QOY4dClth79cBa4+M
MD5:	E6BC308E44F52713322480EE725334CB
SHA1:	57423595B636FC70CF53EB29D227CB6B9BC42F8E
SHA-256:	C581CF1C3C82F6B2DF7CD852361A0466AC85172BEC6E34D9655A6C18667BBEC7
SHA-512:	E4904783464A21408255C32364441F3741BF9544182F57CF7A14946E6AFC100F16D8CF3089F155AA4A08E4E65FF246F20517C7E1FE6DB962801CC6619ADBE19D
Malicious:	false
Reputation:	low
Preview:	@...e...........y...................>.y..............@..........H...............<@.^.L."My...:P..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3wwz4tj5.5nu.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d1zr1t5y.vgy.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\tmp95A0.tmp

Download File

Process:	C:\Users\user\Desktop\llcubnch6T.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1608
Entropy (8bit):	5.124455319747427
Encrypted:	false
SSDEEP:	24:2di4+S2qh/S1K2ky1mo2dUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLPaxvn:cgea6YrFdOFzOzN33ODOiDdKrsuTzuv
MD5:	0E2E547022BB8168544A3BD4F03B80DF
SHA1:	231F190A8B0CE5A7C8BE4346172F48D342B44234
SHA-256:	7B1A5B157DD8468BA308482C17F6451096304542DCAA29CF568026DCF494BC60
SHA-512:	2FE546649789F3022A8E3606F21199FCFCDBB0E493830556B87D9887A61717D65C2E3A763DF805216320D1A08A2408CCF00F714D212268E5B049940BE2A03BDF
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailab

C:\Users\user\AppData\Roaming\RhFYnHFgJ.exe

Download File

Process:	C:\Users\user\Desktop\llcubnch6T.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	621056
Entropy (8bit):	7.267556524859017
Encrypted:	false
SSDEEP:	12288:4H2iNSg6SKlpxxDAE7Mn3cs9OWvHoFiPEwjlk2Y/gbb:81SLlpxx8EEc85oFaj22p
MD5:	44E407B3DE4A9865AB747BDCA810B0B9
SHA1:	6EB199E6837432D8ACB98C03B22277F340726372
SHA-256:	DA6ABB6F3AAE250D50ED09B6EACC267C33E50895E3EBD7E6BA800AB018351EC5
SHA-512:	DB8E1652A6E8D90450114641F3573B9423BCE4C27C237AF49A59DC44ACF929580CDF59E5C216391EF87C27C52FC610653D19BCE2D1507E4D8F310B7D6DEE8A4B
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 54%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s.b..............0..r..........b.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...hq... ...r.................. ..`.rsrc................t..............@..@.reloc...............x..............@..B................D.......H............S......B.......@...........................................^..}.....(.......(......0..+.........,..{.......+....,...{....o........(.......0................(....s......s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....{....o......{....o......(......{.....o .....{....o!...."...Bs"...o#...&.{....o!...."...Bs"...o#...&.{....o$....{......o%.....{....o$....{......o%.....{....o$....{......o%.....{....o$....{......o%.....{....o$...

C:\Users\user\AppData\Roaming\RhFYnHFgJ.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\llcubnch6T.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Documents\20220805\PowerShell_transcript.724471.0b0YCxHN.20220805210738.txt

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5815
Entropy (8bit):	5.37547468273822
Encrypted:	false
SSDEEP:	96:BZDTL5NKCqDo1ZSGZiTL5NKCqDo1ZE39PjZiTL5NKCqDo1ZEG//hZ+:7
MD5:	599FC2C562BB7B72B0592FCDFA20F17F
SHA1:	22D5820DE1296A150D38D950EFE7540DEF5672C1
SHA-256:	227A4D6538B52B6061A7960A5F9B9795AB1773C2752EEF201CFCD5B85E38E274
SHA-512:	C95070EF3920CCAC7689EB27A953C13DAE36173DF17D36194D0BBA930BC0FDFA470C559EE5713F53D2EF26D0D9F1107079E710A8DE326EA3E6AF045BAE1CB99D
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20220805210740..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 724471 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\RhFYnHFgJ.exe..Process ID: 5040..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20220805210740..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\RhFYnHFgJ.exe..********************..Windows PowerShell transcript start..Start time: 20220805211241..Username: computer\user..RunAs User: DESKTOP

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.267556524859017
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	llcubnch6T.exe
File size:	621056
MD5:	44e407b3de4a9865ab747bdca810b0b9
SHA1:	6eb199e6837432d8acb98c03b22277f340726372
SHA256:	da6abb6f3aae250d50ed09b6eacc267c33e50895e3ebd7e6ba800ab018351ec5
SHA512:	db8e1652a6e8d90450114641f3573b9423bce4c27c237af49a59dc44acf929580cdf59e5c216391ef87c27c52fc610653d19bce2d1507e4d8f310b7d6dee8a4b
SSDEEP:	12288:4H2iNSg6SKlpxxDAE7Mn3cs9OWvHoFiPEwjlk2Y/gbb:81SLlpxx8EEc85oFaj22p
TLSH:	52D4E082F2694F5BC0274BF9AC2594581727B39E503DD6096DFEB8EBA0727C34152E0B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s.b..............0..r..........b.... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x499162
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x62E773E6 [Mon Aug 1 06:34:14 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x99110	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9a000	0x3a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x97168	0x97200	False	0.7348273366418527	data	7.2738007120716635	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x9a000	0x3a8	0x400	False	0.38671875	data	2.9730132767456556	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9c000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x9a058	0x34c	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 5, 2022 21:07:53.229300022 CEST	49765	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:07:53.269311905 CEST	3030	49765	91.193.75.135	192.168.2.6
Aug 5, 2022 21:07:53.830010891 CEST	49765	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:07:53.869882107 CEST	3030	49765	91.193.75.135	192.168.2.6
Aug 5, 2022 21:07:54.523250103 CEST	49765	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:07:54.563241959 CEST	3030	49765	91.193.75.135	192.168.2.6
Aug 5, 2022 21:07:59.581712961 CEST	49777	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:07:59.621660948 CEST	3030	49777	91.193.75.135	192.168.2.6
Aug 5, 2022 21:08:00.129159927 CEST	49777	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:08:00.169723034 CEST	3030	49777	91.193.75.135	192.168.2.6
Aug 5, 2022 21:08:00.674324989 CEST	49777	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:08:00.714421988 CEST	3030	49777	91.193.75.135	192.168.2.6
Aug 5, 2022 21:08:05.723584890 CEST	49779	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:08:05.763652086 CEST	3030	49779	91.193.75.135	192.168.2.6
Aug 5, 2022 21:08:06.268538952 CEST	49779	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:08:06.308541059 CEST	3030	49779	91.193.75.135	192.168.2.6
Aug 5, 2022 21:08:06.815474033 CEST	49779	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:08:06.858010054 CEST	3030	49779	91.193.75.135	192.168.2.6
Aug 5, 2022 21:08:11.866844893 CEST	49784	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:08:11.907004118 CEST	3030	49784	91.193.75.135	192.168.2.6
Aug 5, 2022 21:08:12.534842014 CEST	49784	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:08:12.575058937 CEST	3030	49784	91.193.75.135	192.168.2.6
Aug 5, 2022 21:08:13.222290993 CEST	49784	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:08:13.262275934 CEST	3030	49784	91.193.75.135	192.168.2.6
Aug 5, 2022 21:08:18.270786047 CEST	49787	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:08:18.311213017 CEST	3030	49787	91.193.75.135	192.168.2.6
Aug 5, 2022 21:08:18.832133055 CEST	49787	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:08:18.872239113 CEST	3030	49787	91.193.75.135	192.168.2.6
Aug 5, 2022 21:08:19.439817905 CEST	49787	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:08:19.479929924 CEST	3030	49787	91.193.75.135	192.168.2.6
Aug 5, 2022 21:08:24.489988089 CEST	49794	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:08:24.530139923 CEST	3030	49794	91.193.75.135	192.168.2.6
Aug 5, 2022 21:08:25.035784960 CEST	49794	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:08:25.075980902 CEST	3030	49794	91.193.75.135	192.168.2.6
Aug 5, 2022 21:08:25.582756996 CEST	49794	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:08:25.622864962 CEST	3030	49794	91.193.75.135	192.168.2.6
Aug 5, 2022 21:08:30.632461071 CEST	49797	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:08:30.672374010 CEST	3030	49797	91.193.75.135	192.168.2.6
Aug 5, 2022 21:08:31.223885059 CEST	49797	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:08:31.263833046 CEST	3030	49797	91.193.75.135	192.168.2.6
Aug 5, 2022 21:08:31.926997900 CEST	49797	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:08:31.967113018 CEST	3030	49797	91.193.75.135	192.168.2.6
Aug 5, 2022 21:08:36.977118015 CEST	49798	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:08:37.017225027 CEST	3030	49798	91.193.75.135	192.168.2.6
Aug 5, 2022 21:08:37.615282059 CEST	49798	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:08:37.655406952 CEST	3030	49798	91.193.75.135	192.168.2.6
Aug 5, 2022 21:08:38.161915064 CEST	49798	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:08:38.202013016 CEST	3030	49798	91.193.75.135	192.168.2.6
Aug 5, 2022 21:08:43.210587025 CEST	49800	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:08:43.250809908 CEST	3030	49800	91.193.75.135	192.168.2.6
Aug 5, 2022 21:08:43.756254911 CEST	49800	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:08:43.796329021 CEST	3030	49800	91.193.75.135	192.168.2.6
Aug 5, 2022 21:08:44.459325075 CEST	49800	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:08:44.499526024 CEST	3030	49800	91.193.75.135	192.168.2.6
Aug 5, 2022 21:08:49.509156942 CEST	49816	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:08:49.549237013 CEST	3030	49816	91.193.75.135	192.168.2.6
Aug 5, 2022 21:08:50.148332119 CEST	49816	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:08:50.188297033 CEST	3030	49816	91.193.75.135	192.168.2.6
Aug 5, 2022 21:08:50.750245094 CEST	49816	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:08:50.790303946 CEST	3030	49816	91.193.75.135	192.168.2.6
Aug 5, 2022 21:08:55.806442976 CEST	49845	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:08:55.846424103 CEST	3030	49845	91.193.75.135	192.168.2.6
Aug 5, 2022 21:08:56.360430002 CEST	49845	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:08:56.400496960 CEST	3030	49845	91.193.75.135	192.168.2.6
Aug 5, 2022 21:08:56.962353945 CEST	49845	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:08:57.002532959 CEST	3030	49845	91.193.75.135	192.168.2.6
Aug 5, 2022 21:09:02.585449934 CEST	49854	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:09:02.625430107 CEST	3030	49854	91.193.75.135	192.168.2.6
Aug 5, 2022 21:09:03.259737968 CEST	49854	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:09:03.299568892 CEST	3030	49854	91.193.75.135	192.168.2.6
Aug 5, 2022 21:09:03.947386980 CEST	49854	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:09:03.987705946 CEST	3030	49854	91.193.75.135	192.168.2.6
Aug 5, 2022 21:09:08.997055054 CEST	49859	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:09:09.038681984 CEST	3030	49859	91.193.75.135	192.168.2.6
Aug 5, 2022 21:09:09.541527033 CEST	49859	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:09:09.581378937 CEST	3030	49859	91.193.75.135	192.168.2.6
Aug 5, 2022 21:09:10.088469982 CEST	49859	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:09:10.128552914 CEST	3030	49859	91.193.75.135	192.168.2.6
Aug 5, 2022 21:09:15.136780977 CEST	49870	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:09:15.176758051 CEST	3030	49870	91.193.75.135	192.168.2.6
Aug 5, 2022 21:09:15.682686090 CEST	49870	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:09:15.722548962 CEST	3030	49870	91.193.75.135	192.168.2.6
Aug 5, 2022 21:09:16.229609013 CEST	49870	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:09:16.269427061 CEST	3030	49870	91.193.75.135	192.168.2.6
Aug 5, 2022 21:09:21.278151035 CEST	49883	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:09:21.318515062 CEST	3030	49883	91.193.75.135	192.168.2.6
Aug 5, 2022 21:09:21.855076075 CEST	49883	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:09:21.895132065 CEST	3030	49883	91.193.75.135	192.168.2.6
Aug 5, 2022 21:09:22.558250904 CEST	49883	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:09:22.598500967 CEST	3030	49883	91.193.75.135	192.168.2.6
Aug 5, 2022 21:09:27.606158018 CEST	49885	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:09:27.646354914 CEST	3030	49885	91.193.75.135	192.168.2.6
Aug 5, 2022 21:09:28.152470112 CEST	49885	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:09:28.192559004 CEST	3030	49885	91.193.75.135	192.168.2.6
Aug 5, 2022 21:09:28.699387074 CEST	49885	3030	192.168.2.6	91.193.75.135
Aug 5, 2022 21:09:28.739516973 CEST	3030	49885	91.193.75.135	192.168.2.6

Target ID:	0
Start time:	21:07:20
Start date:	05/08/2022
Path:	C:\Users\user\Desktop\llcubnch6T.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\llcubnch6T.exe"
Imagebase:	0xa30000
File size:	621056 bytes
MD5 hash:	44E407B3DE4A9865AB747BDCA810B0B9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.418726957.0000000003063000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.419146088.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000002.419146088.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low

Show Windows behavior

Target ID:	5
Start time:	21:07:36
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RhFYnHFgJ.exe
Imagebase:	0xf10000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Target ID:	6
Start time:	21:07:37
Start date:	05/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6406f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	7
Start time:	21:07:37
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RhFYnHFgJ" /XML "C:\Users\user\AppData\Local\Temp\tmp95A0.tmp
Imagebase:	0x290000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	8
Start time:	21:07:39
Start date:	05/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6406f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	9
Start time:	21:07:42
Start date:	05/08/2022
Path:	C:\Users\user\Desktop\llcubnch6T.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\llcubnch6T.exe
Imagebase:	0xce0000
File size:	621056 bytes
MD5 hash:	44E407B3DE4A9865AB747BDCA810B0B9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000009.00000002.630822289.0000000003051000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000009.00000000.410857927.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000009.00000000.410857927.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000009.00000002.635757563.00000000055A6000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low

Show Windows behavior

Execution Graph

Execution Coverage:	13%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	154
Total number of Limit Nodes:	8

Executed Functions

Function 010B5798 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.414691907.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10b0000_llcubnch6T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f4a5810f107968fa0fcdede62917f68e1a13d9854003fdcc4cb599757c42602
Instruction ID: b6ded737464fc985a3c32dbc0cea175b0c526e562ccbb4842f95da45dc70f1cc
Opcode Fuzzy Hash: 1f4a5810f107968fa0fcdede62917f68e1a13d9854003fdcc4cb599757c42602
Instruction Fuzzy Hash: 8681E470E01248CFDB14DFE5D894AEEBBF2EF8A305F149069D419AB364DB34A846CB54

Uniqueness

Uniqueness Score: -1.00%

Function 010BB0D0 Relevance: 1.7, APIs: 1, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 010BB316

Memory Dump Source

Source File: 00000000.00000002.414691907.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10b0000_llcubnch6T.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5024bbc463e401698a6b6af57af7f23225b3719c020d6aa1fa2701ab4b183123
Instruction ID: 496cff362784ab09844967d9348066357e4d83375bd5ee6f0cf9460fcc1148d3
Opcode Fuzzy Hash: 5024bbc463e401698a6b6af57af7f23225b3719c020d6aa1fa2701ab4b183123
Instruction Fuzzy Hash: 5B713270A00B058FD764DF6AD49479BBBF5FF88204F008A2DD58ADBB40DB74E8498B91

Uniqueness

Uniqueness Score: -1.00%

Function 010B543C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 010B7139

Memory Dump Source

Source File: 00000000.00000002.414691907.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10b0000_llcubnch6T.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 1f8372dccd9be82913fb3a725b69b4817976f3c179cb0bfaa1464491eb27d3ba
Instruction ID: 47389cadfcbafbe578b799764c82bedb4267876fc7234c195cbfecd8a953e579
Opcode Fuzzy Hash: 1f8372dccd9be82913fb3a725b69b4817976f3c179cb0bfaa1464491eb27d3ba
Instruction Fuzzy Hash: 9F41E371C4061DCBDB24DFA9C884BDEBBB5FF88304F20846AD449AB251DB75594ACFA0

Uniqueness

Uniqueness Score: -1.00%

Function 010B707D Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 010B7139

Memory Dump Source

Source File: 00000000.00000002.414691907.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10b0000_llcubnch6T.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 5b4b98064e0ad3e529399ee5f1bbf4bd02663b06a6219b727329ac4df0bfbde6
Instruction ID: 13e76bca4f88936ed636c411f3f6921c80cbe3e86084f5911aa94190835b13ae
Opcode Fuzzy Hash: 5b4b98064e0ad3e529399ee5f1bbf4bd02663b06a6219b727329ac4df0bfbde6
Instruction Fuzzy Hash: 1841F271C00719CBDB24CFA9C8847DEBBB5BF88304F20846AD449AB251DB75594ACFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05F0A1A0 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 05F0A237

Memory Dump Source

Source File: 00000000.00000002.427195484.0000000005F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f00000_llcubnch6T.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 92d8a8ed914fe67a1bf9594c104fc6affbdbf254bd0a41681b2b90f0a3bb00d8
Instruction ID: f19af2e7261d5d26233e30d9d688ac9bfca04fc2f1c0445ed09f0a908b8913c9
Opcode Fuzzy Hash: 92d8a8ed914fe67a1bf9594c104fc6affbdbf254bd0a41681b2b90f0a3bb00d8
Instruction Fuzzy Hash: D021E3B5D003499FCB10CF9AD880ADEFBF4BB48324F14842AE819A7350D774A984CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 010BD5E8 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010BD677

Memory Dump Source

Source File: 00000000.00000002.414691907.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10b0000_llcubnch6T.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e2ce7bfa2a151b90bfd65f4de528e97b6d34291d86a33a4e7f80ca3f6bfb2f9d
Instruction ID: a3580ef13e23ed83fdcf789b3e6f7eaf33d9260dc604290e590fa05fa17ac2b2
Opcode Fuzzy Hash: e2ce7bfa2a151b90bfd65f4de528e97b6d34291d86a33a4e7f80ca3f6bfb2f9d
Instruction Fuzzy Hash: B421E6B59002089FDB10CFDAD984ADEFBF4EB48324F14841AE958A3310D378A954CF61

Uniqueness

Uniqueness Score: -1.00%

Function 010BD5F0 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010BD677

Memory Dump Source

Source File: 00000000.00000002.414691907.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10b0000_llcubnch6T.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3a024e58d39511916c71be80578657f1fe39de551ef6370076d55046092a9f9b
Instruction ID: d824daf9a99cc89990ff318755f8dbb2823596d07f43e63f3e6f62156a24d483
Opcode Fuzzy Hash: 3a024e58d39511916c71be80578657f1fe39de551ef6370076d55046092a9f9b
Instruction Fuzzy Hash: 9521D8B59012099FDB10CFDAD984ADEFBF4FB48324F14841AE958A3310D774A954CF61

Uniqueness

Uniqueness Score: -1.00%

Function 010B4C37 Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEncodePointer.NTDLL(00000000), ref: 010B4CC2

Memory Dump Source

Source File: 00000000.00000002.414691907.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10b0000_llcubnch6T.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 5f37fcb0c57cae226b25725d0f3f58bbc51518fb0d7bd3e12a474fb38529616f
Instruction ID: 60d4593d79ec56ae9f3d0882d453a1340a76734d67bfdfc1f9a2cf285af18f27
Opcode Fuzzy Hash: 5f37fcb0c57cae226b25725d0f3f58bbc51518fb0d7bd3e12a474fb38529616f
Instruction Fuzzy Hash: 6A21CD708402088FDB50DFA9C5487DABBF8FB09318F10882DC445E7602C7396A488FA1

Uniqueness

Uniqueness Score: -1.00%

Function 010B4EE8 Relevance: 1.6, APIs: 1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEncodePointer.NTDLL(00000000), ref: 010B4F6D

Memory Dump Source

Source File: 00000000.00000002.414691907.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10b0000_llcubnch6T.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 024155a95f2db88e2fe125fe4bb5e01a7d69b88d4a9b1df77cd03a62a4c3f018
Instruction ID: ed60e75604d3e38f763cebbb42e9c3d110ba47fb37c61437098ed0ede77da2fb
Opcode Fuzzy Hash: 024155a95f2db88e2fe125fe4bb5e01a7d69b88d4a9b1df77cd03a62a4c3f018
Instruction Fuzzy Hash: C2218CB1D403498FDB60DF99D5897DABBF8EB18358F10481DD455F3202D778A684CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 010BAB28 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,010BB391,00000800,00000000,00000000), ref: 010BB5A2

Memory Dump Source

Source File: 00000000.00000002.414691907.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10b0000_llcubnch6T.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c04aded0a9496f1e16d8090accc2ea48fa0d7eea83a6590adc8b2b2167d8fc5b
Instruction ID: f52536ec641cca5964594106c9fdaf48190ce18800b87436bf26d815f645a162
Opcode Fuzzy Hash: c04aded0a9496f1e16d8090accc2ea48fa0d7eea83a6590adc8b2b2167d8fc5b
Instruction Fuzzy Hash: 061117B29002099FDB10CF9AD484BDEFBF4EB48324F14841ED955A7700C774A549CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 010BB530 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,010BB391,00000800,00000000,00000000), ref: 010BB5A2

Memory Dump Source

Source File: 00000000.00000002.414691907.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10b0000_llcubnch6T.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f138bdb6ee32191ea295946b7238a575dcaf398467ff37daeb9f833479af4987
Instruction ID: 016facaa5fbc5dd6144ece95e433a7477aa450204050fdcf032163d0e2948238
Opcode Fuzzy Hash: f138bdb6ee32191ea295946b7238a575dcaf398467ff37daeb9f833479af4987
Instruction Fuzzy Hash: 451114B68002099FDB10CF9AC884BDEFBF8EB48324F14841AD559A7600D774A949CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 010B4C48 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEncodePointer.NTDLL(00000000), ref: 010B4CC2

Memory Dump Source

Source File: 00000000.00000002.414691907.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10b0000_llcubnch6T.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 5c76cbf1a31bd68f5d90c4e5a8f7cb86b3e3aae1aa66185e5a439bd306229de8
Instruction ID: f6ac13d4dc08f75209cc8deb002fd3fa4cea473b33d14b2f5aaee6ca867cdca8
Opcode Fuzzy Hash: 5c76cbf1a31bd68f5d90c4e5a8f7cb86b3e3aae1aa66185e5a439bd306229de8
Instruction Fuzzy Hash: 291189709402098FDBA0EFA9D5487DABBF8FB09358F108429D445E7642CB396A848FA1

Uniqueness

Uniqueness Score: -1.00%

Function 010BB2B0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 010BB316

Memory Dump Source

Source File: 00000000.00000002.414691907.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10b0000_llcubnch6T.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 20dd4bc0314370ec8266293c262c908b999b898824bed392212a1527ae39228f
Instruction ID: 880842694b241c5994e4ceef6d5f71db5a5bcee5eb7815cf1ddb077a41292439
Opcode Fuzzy Hash: 20dd4bc0314370ec8266293c262c908b999b898824bed392212a1527ae39228f
Instruction Fuzzy Hash: A01113B1C006498FDB10CF9AC484BDEFBF4EB49224F14841AD859B7600C378A549CFA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 010BDF0C Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.414691907.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10b0000_llcubnch6T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e445b55baaf88030f1149957493f4e3c6c732335db6c75f98df17cd7d3132a2d
Instruction ID: b458282d2eb6c68ad18f032bfbbba65a910c740e3e7348a963d259ac3639a20f
Opcode Fuzzy Hash: e445b55baaf88030f1149957493f4e3c6c732335db6c75f98df17cd7d3132a2d
Instruction Fuzzy Hash: 87A16E32E1021A8FCF19DFB5C8845DDBBF2FF89304B1585AAE905AB261DB31E955CB40

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: llcubnch6T.exePID: 3720, Parent PID: 5324COMMON

Executed Functions

Function 015C1728 Relevance: 2.9, Strings: 2, Instructions: 446COMMON

Download Yara Rule

Strings

,, xrefs: 015C186F
#Lk^, xrefs: 015C1B51

Memory Dump Source

Source File: 00000009.00000002.630570543.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_llcubnch6T.jbxd

Similarity

API ID:
String ID: ,$#Lk^
API String ID: 0-1543376746
Opcode ID: 582c3232e0a7b444ba87b475962464c3fe7d8a47ae3e179b1b807d01061228e2
Instruction ID: 827f5f0c5c63e5ed2388052ad818046f8c5f218ba9fbe4972caf7345cff96de3
Opcode Fuzzy Hash: 582c3232e0a7b444ba87b475962464c3fe7d8a47ae3e179b1b807d01061228e2
Instruction Fuzzy Hash: 16029D30600201CFDB14AF64D494AAEB7E2FF85708F11896CD4159F3A6DF799C8ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 015C0AB8 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.630570543.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_llcubnch6T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 116d5ea9f95be68675c38355fdcfb87bd0955b449a0ef1af5ad36d942d20f539
Instruction ID: 3e24f550815d1dd87e1d6a0a9e97491c21efcfc9be507682ac21e845d85a577b
Opcode Fuzzy Hash: 116d5ea9f95be68675c38355fdcfb87bd0955b449a0ef1af5ad36d942d20f539
Instruction Fuzzy Hash: 9F519C74B101149FCB44DF68C454AADBBF6BF89714F1580A9E406EF3A1CB789C068BA1

Uniqueness

Uniqueness Score: -1.00%

Function 015C0920 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.630570543.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_llcubnch6T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5ccb2909685820e0602efd7d6a7b6464484fa066db67dbe99ab255f6bbf917b
Instruction ID: f513eee62d45018302e1cb250e12310fbf85ecb646d9ef4616aeb6e6a2071c58
Opcode Fuzzy Hash: c5ccb2909685820e0602efd7d6a7b6464484fa066db67dbe99ab255f6bbf917b
Instruction Fuzzy Hash: 0041BE347002058FDB149FA8D454A9EBBF2BF89214F1485A9E105EF3A1CB78DC098BA1

Uniqueness

Uniqueness Score: -1.00%

Function 015C06A0 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.630570543.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_llcubnch6T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de3b7128d404be8b6d40cdcc684221f7ca34144c4a5503e9dc9e8f04be559a11
Instruction ID: 203b09406284cf14da6242d6bf5a46bc826ad49f3c5ff42cd438db0692ba0546
Opcode Fuzzy Hash: de3b7128d404be8b6d40cdcc684221f7ca34144c4a5503e9dc9e8f04be559a11
Instruction Fuzzy Hash: 6A51E834611301CFCB55EF34E14589A776AFB85389351A939D811AB368EB3DAE4BCF80

Uniqueness

Uniqueness Score: -1.00%

Function 015C0DD0 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.630570543.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_llcubnch6T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8df18520a6681c3a23b497ddc03bc38a841a19bb479c254207a13705f2857b7d
Instruction ID: 801a8dfa190b4af6dd281790f1b0e006217fd8ba917bf8626adcb7f8e65f6d15
Opcode Fuzzy Hash: 8df18520a6681c3a23b497ddc03bc38a841a19bb479c254207a13705f2857b7d
Instruction Fuzzy Hash: D531C271E001099FCB14EBB884112AEBBF6EFD9604F14856DD40ADB741DB38D9468BA1

Uniqueness

Uniqueness Score: -1.00%

Function 015C0910 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.630570543.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_llcubnch6T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f340a314f26b042b5fad1aea8344e17fa9399b35e0b34e21c95861b0d5fbe452
Instruction ID: ee4be40cf8468cb07b8b034ecdba5f851d07d0469f69de09ec69aa2667f5b7fc
Opcode Fuzzy Hash: f340a314f26b042b5fad1aea8344e17fa9399b35e0b34e21c95861b0d5fbe452
Instruction Fuzzy Hash: 28318D34A00205DFDB14DFA8C494AAEBBF6FF89304F148569E405AF3A1C7799C49CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 015C0F39 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.630570543.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_llcubnch6T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0bef7d44269bf3732897c2bd54d74385e631cd5eccb247c8cc840b9a73165c0
Instruction ID: 21423db65b808e67e9144e36f284c86822f6c9e469f123240969e56534b454f4
Opcode Fuzzy Hash: e0bef7d44269bf3732897c2bd54d74385e631cd5eccb247c8cc840b9a73165c0
Instruction Fuzzy Hash: A031B135B002168FCB54DBB8985196FBBF6AF89208B1444BDE545DB3A1EB38DC4287A1

Uniqueness

Uniqueness Score: -1.00%

Function 015C0C2E Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.630570543.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_llcubnch6T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37e81fcf052c0d5e7328fb78bb5284289a3003572cd503f94144b59688f975bd
Instruction ID: 94d59a1ce1a1bf250dfb54ee4a30bed9d6d5453af1dbe1aa36b15fe948a13d55
Opcode Fuzzy Hash: 37e81fcf052c0d5e7328fb78bb5284289a3003572cd503f94144b59688f975bd
Instruction Fuzzy Hash: 02213C39B001158FE714DBA8C554BADBBE2BF89B14F258158E5069F3A1CA759C01CB51

Uniqueness

Uniqueness Score: -1.00%

Function 015C0598 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.630570543.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_llcubnch6T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7d12374a157851928ee6cc48adc221208e218166b0dbe1f85b07cf6f10b1a88
Instruction ID: 595a5a4c7fa828b9b53a872d59a2943ad53cbe78764f314f0d180e304ed43a01
Opcode Fuzzy Hash: d7d12374a157851928ee6cc48adc221208e218166b0dbe1f85b07cf6f10b1a88
Instruction Fuzzy Hash: 61216234614301CFDB65AFF9E55567E3BA8FB94B85B11243DB812DE280EB38C884DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0152D3B4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.630319388.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_152d000_llcubnch6T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: def86433122d15903510f47ce4ab3fc8369d5bf3bb0eb272844ea677cf6ba852
Instruction ID: 0d940c96723602de03e2df70c7791f24f9ba77e12b43c40fc9d5d57ed83c2c7d
Opcode Fuzzy Hash: def86433122d15903510f47ce4ab3fc8369d5bf3bb0eb272844ea677cf6ba852
Instruction Fuzzy Hash: 862148B2500240DFDB05CF54D9C0BAABBB1FB85324F24C569E8050F686C376E44AC7E1

Uniqueness

Uniqueness Score: -1.00%

Function 0152D4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.630319388.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_152d000_llcubnch6T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eed09ce4d53d5ee984c139b6836afbd8ce7a30df76fd671ec343b35d27d39e2
Instruction ID: 1852296ce34299e835e312755a5b3ab7fb760c119e28d37f007c1531142781a5
Opcode Fuzzy Hash: 7eed09ce4d53d5ee984c139b6836afbd8ce7a30df76fd671ec343b35d27d39e2
Instruction Fuzzy Hash: 6B2148B2604240DFDB01CF94D9C0B6ABFB1FB85328F24C569E9050F296C3BAD449C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 015C05A8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.630570543.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_llcubnch6T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6492cee4d6e7a2de40b67d47dcde90f6fc90d13708d630f274889eefc29632a
Instruction ID: 5ae537ba6d3f982b2aabce6843fa3776000c950a7b4370c9a2b12d609a97c747
Opcode Fuzzy Hash: d6492cee4d6e7a2de40b67d47dcde90f6fc90d13708d630f274889eefc29632a
Instruction Fuzzy Hash: E2214134715201CFDF69AFF9951562E3AA4FB94A89B21183CB816CE280EB38C484DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0152D49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.630319388.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_152d000_llcubnch6T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b6e80efca3d6f4b3c80f07f18239913a808e1f69b855b1855883133c21e4cdf
Instruction ID: 1047368e5efb1e4d66094f8de80be0a34204d5f752da82dc8c32694d927c61f3
Opcode Fuzzy Hash: 6b6e80efca3d6f4b3c80f07f18239913a808e1f69b855b1855883133c21e4cdf
Instruction Fuzzy Hash: BC11E172504280CFDB02CF44D5C0B1ABF71FB84324F24C6A9D9050F656C37AD456CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0152D3AF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.630319388.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_152d000_llcubnch6T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b6e80efca3d6f4b3c80f07f18239913a808e1f69b855b1855883133c21e4cdf
Instruction ID: 575a3b9ad00cb5c955f1e517eb27afbc84f0b27713a26d5f9402d1852c453ec2
Opcode Fuzzy Hash: 6b6e80efca3d6f4b3c80f07f18239913a808e1f69b855b1855883133c21e4cdf
Instruction Fuzzy Hash: 6511E172404280CFCB02CF54D9C0B5ABF71FB84324F24C6A9D8484B656C37AE45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 015C1031 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.630570543.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_llcubnch6T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 205cc467b55ab776de7e071fbb9e70cb642d6a5b68e3d69e3fde76a508be2e2a
Instruction ID: aa9788eed7da2da02aefc2cbf2bca57236be645484c036cc21ed46ff669f9d98
Opcode Fuzzy Hash: 205cc467b55ab776de7e071fbb9e70cb642d6a5b68e3d69e3fde76a508be2e2a
Instruction Fuzzy Hash: 8911C270B00250CFCB54EFB8D4A69AA7BF5EF8925470504B8C805EB312EB39CC02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 015C1040 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.630570543.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_llcubnch6T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e792f8cf18bc0e9b2d035d4de3a42dd0920812593ae039b4f7cf33e61ef59351
Instruction ID: e9064f5b8ef380cb2e532035c5cb897bd00cb14a2216dc3335ebe974915ede9e
Opcode Fuzzy Hash: e792f8cf18bc0e9b2d035d4de3a42dd0920812593ae039b4f7cf33e61ef59351
Instruction Fuzzy Hash: C4118B70B00214CFCB54EFB9D4A59AA77EAEF886887110479D406EB311EF39DC06CB90

Uniqueness

Uniqueness Score: -1.00%

Function 015C0A3D Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.630570543.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_llcubnch6T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b11aef17f03f04a9177e2ccc2f20920f3091eb240d682b2c4e6d89d116bab7da
Instruction ID: c83fcf46c6a47310cac461f6b56b1ca5a2f075cf07e4c922d8c730775af64940
Opcode Fuzzy Hash: b11aef17f03f04a9177e2ccc2f20920f3091eb240d682b2c4e6d89d116bab7da
Instruction Fuzzy Hash: 46012D303083514FC7459778A8244AE3BE7EFCB16531544BAD009CF3B2DE2C8C0A8761

Uniqueness

Uniqueness Score: -1.00%

Function 015C0A80 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.630570543.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_llcubnch6T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71612034010edcc2d9da9d93a8236c48bfadab4c1431a53814cded80629a6747
Instruction ID: 2963e1d8874aab1dcff818f65326d94e036294f6c50401c27f2ce89910bf1e17
Opcode Fuzzy Hash: 71612034010edcc2d9da9d93a8236c48bfadab4c1431a53814cded80629a6747
Instruction Fuzzy Hash: 3CE0C2313002204F8754967EB884C5BB7DAEFCD1B93150079F109C7321DE75DC018790

Uniqueness

Uniqueness Score: -1.00%

Function 015C0673 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.630570543.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_llcubnch6T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ffc4c852021ea605d5615a658f9301b7460b294fa6bc080ea93d16e00fa648c
Instruction ID: 9a9e53f29b613475d89164fa13724e2399bda62455efc220a7334f8c3385e7d7
Opcode Fuzzy Hash: 8ffc4c852021ea605d5615a658f9301b7460b294fa6bc080ea93d16e00fa648c
Instruction Fuzzy Hash: 41C08C2801A280CFDB362FF4A10CA6C3AA077E0B08F119458B0230EBC5DF3408CC9752

Uniqueness

Uniqueness Score: -1.00%

Function 015C068F Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.630570543.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_llcubnch6T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25606345fde8d0a54cb92def09a30476f4b54644b817ab70aaed0dc26ad4b451
Instruction ID: ae7daa2f395b99c13f48d3c084048a823c71f735d4c6b2567ff68ed6b05c1c0d
Opcode Fuzzy Hash: 25606345fde8d0a54cb92def09a30476f4b54644b817ab70aaed0dc26ad4b451
Instruction Fuzzy Hash: AEC04C2C41A241CFD7762FF4A10DA6C39A07BE0B09F519458B4635EBC9DF34488C9BA2

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report llcubnch6T

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\llcubnch6T.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3wwz4tj5.5nu.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d1zr1t5y.vgy.ps1

C:\Users\user\AppData\Local\Temp\tmp95A0.tmp

C:\Users\user\AppData\Roaming\RhFYnHFgJ.exe

C:\Users\user\AppData\Roaming\RhFYnHFgJ.exe:Zone.Identifier

C:\Users\user\Documents\20220805\PowerShell_transcript.724471.0b0YCxHN.20220805210738.txt

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
llcubnch6T

Function 010BB0D0 Relevance: 1.7, APIs: 1, Instructions: 194
COMMON

Function 010B543C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 010B707D Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Function 05F0A1A0 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Function 010BD5E8 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Function 010BD5F0 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 010B4C37 Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Function 010B4EE8 Relevance: 1.6, APIs: 1, Instructions: 57
COMMON

Function 010BAB28 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 010BB530 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 010B4C48 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Function 010BB2B0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON