Edit tour

Windows Analysis Report
gNrfORqjCV.exe

Overview

General Information

Sample Name:	gNrfORqjCV.exe
Analysis ID:	800437
MD5:	60c8d91adfa30a60afa2f5437ce7d041
SHA1:	f8460389f343481d7420073ad1da2f90ddedc696
SHA256:	5707c702f70cc5bf864e10aaab48f9300e3be0a7892d8faa1810145f0af93d2d
Tags:	exe
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Yara detected AntiVM3

Detected Nanocore Rat

Sigma detected: Scheduled temp file as task from temp location

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Adds a directory exclusion to Windows Defender

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses dynamic DNS services

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

gNrfORqjCV.exe (PID: 5240 cmdline: C:\Users\user\Desktop\gNrfORqjCV.exe MD5: 60C8D91ADFA30A60AFA2F5437CE7D041)

powershell.exe (PID: 492 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\gNrfORqjCV.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 5684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 1544 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 4720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 5936 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GzGmImHFmOq" /XML "C:\Users\user\AppData\Local\Temp\tmp78F4.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

gNrfORqjCV.exe (PID: 5320 cmdline: C:\Users\user\Desktop\gNrfORqjCV.exe MD5: 60C8D91ADFA30A60AFA2F5437CE7D041)

schtasks.exe (PID: 5256 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp2556.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 6016 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp27D7.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

GzGmImHFmOq.exe (PID: 5000 cmdline: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe MD5: 60C8D91ADFA30A60AFA2F5437CE7D041)

schtasks.exe (PID: 5660 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GzGmImHFmOq" /XML "C:\Users\user\AppData\Local\Temp\tmp389B.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

GzGmImHFmOq.exe (PID: 5544 cmdline: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe MD5: 60C8D91ADFA30A60AFA2F5437CE7D041)

gNrfORqjCV.exe (PID: 5248 cmdline: C:\Users\user\Desktop\gNrfORqjCV.exe 0 MD5: 60C8D91ADFA30A60AFA2F5437CE7D041)

powershell.exe (PID: 1252 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\gNrfORqjCV.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 5244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 400 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 1640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 5684 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GzGmImHFmOq" /XML "C:\Users\user\AppData\Local\Temp\tmpEAF8.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

gNrfORqjCV.exe (PID: 1324 cmdline: C:\Users\user\Desktop\gNrfORqjCV.exe MD5: 60C8D91ADFA30A60AFA2F5437CE7D041)

dhcpmon.exe (PID: 4544 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 MD5: 60C8D91ADFA30A60AFA2F5437CE7D041)

dhcpmon.exe (PID: 4720 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: 60C8D91ADFA30A60AFA2F5437CE7D041)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "cb7cb109-a06b-4fd7-8d0e-5290e77d", "Group": "MOFASA", "Domain1": "nonoise.duckdns.org", "Domain2": "127.0.0.1", "Port": 6060, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "", "BackupDNSServer": "84.200.70.40", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000017.00000002.436230882.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000017.00000002.436230882.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000017.00000002.436230882.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000017.00000002.436230882.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xff8d:$a1: NanoCore.ClientPluginHost 0xff4d:$a2: NanoCore.ClientPlugin 0x11ea6:$b1: get_BuilderSettings 0xfda9:$b2: ClientLoaderForm.resources 0x115c6:$b3: PluginCommand 0xff7e:$b4: IClientAppHost 0x1a3fe:$b5: GetBlockHash 0x124fe:$b6: AddHostEntry 0x161f1:$b7: LogClientException 0x1246b:$b8: PipeExists 0xffb7:$b9: IClientLoggingHost
00000000.00000002.350708235.0000000002AAE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000008.00000002.571677772.0000000005810000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000008.00000002.571677772.0000000005810000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000008.00000002.571677772.0000000005810000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
00000008.00000002.571677772.0000000005810000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
0000000F.00000002.394849296.0000000002F5E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000008.00000002.574171475.0000000005A70000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000008.00000002.574171475.0000000005A70000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000008.00000002.574171475.0000000005A70000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000002.574171475.0000000005A70000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
00000008.00000002.574171475.0000000005A70000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
00000017.00000002.440525605.0000000003939000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000017.00000002.440525605.0000000003939000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x435d5:$a: NanoCore 0x4362e:$a: NanoCore 0x4366b:$a: NanoCore 0x436e4:$a: NanoCore 0x56d8f:$a: NanoCore 0x56da4:$a: NanoCore 0x56dd9:$a: NanoCore 0x6fd7b:$a: NanoCore 0x6fd90:$a: NanoCore 0x6fdc5:$a: NanoCore 0x43637:$b: ClientPlugin 0x43674:$b: ClientPlugin 0x43f72:$b: ClientPlugin 0x43f7f:$b: ClientPlugin 0x56b4b:$b: ClientPlugin 0x56b66:$b: ClientPlugin 0x56b96:$b: ClientPlugin 0x56dad:$b: ClientPlugin 0x56de2:$b: ClientPlugin 0x6fb37:$b: ClientPlugin 0x6fb52:$b: ClientPlugin
00000017.00000002.440525605.0000000003939000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4366b:$a1: NanoCore.ClientPluginHost 0x56dd9:$a1: NanoCore.ClientPluginHost 0x6fdc5:$a1: NanoCore.ClientPluginHost 0x4362e:$a2: NanoCore.ClientPlugin 0x56da4:$a2: NanoCore.ClientPlugin 0x6fd90:$a2: NanoCore.ClientPlugin 0x43a02:$b1: get_BuilderSettings 0x5bd1f:$b1: get_BuilderSettings 0x74d0b:$b1: get_BuilderSettings 0x436b9:$b4: IClientAppHost 0x43a73:$b6: AddHostEntry 0x43ae2:$b7: LogClientException 0x5bc8e:$b7: LogClientException 0x74c7a:$b7: LogClientException 0x43a57:$b8: PipeExists 0x436a6:$b9: IClientLoggingHost 0x56df3:$b9: IClientLoggingHost 0x6fddf:$b9: IClientLoggingHost
0000000E.00000002.425767553.00000000042E7000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x44b3d:$x1: NanoCore.ClientPluginHost 0x7775d:$x1: NanoCore.ClientPluginHost 0xaa17d:$x1: NanoCore.ClientPluginHost 0x44b7a:$x2: IClientNetworkHost 0x7779a:$x2: IClientNetworkHost 0xaa1ba:$x2: IClientNetworkHost 0x486ad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7b2cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xadced:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000002.425767553.00000000042E7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.425767553.00000000042E7000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x448a5:$a: NanoCore 0x448b5:$a: NanoCore 0x44ae9:$a: NanoCore 0x44afd:$a: NanoCore 0x44b3d:$a: NanoCore 0x774c5:$a: NanoCore 0x774d5:$a: NanoCore 0x77709:$a: NanoCore 0x7771d:$a: NanoCore 0x7775d:$a: NanoCore 0xa9ee5:$a: NanoCore 0xa9ef5:$a: NanoCore 0xaa129:$a: NanoCore 0xaa13d:$a: NanoCore 0xaa17d:$a: NanoCore 0x44904:$b: ClientPlugin 0x44b06:$b: ClientPlugin 0x44b46:$b: ClientPlugin 0x77524:$b: ClientPlugin 0x77726:$b: ClientPlugin 0x77766:$b: ClientPlugin
0000000E.00000002.425767553.00000000042E7000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x44b3d:$a1: NanoCore.ClientPluginHost 0x7775d:$a1: NanoCore.ClientPluginHost 0xaa17d:$a1: NanoCore.ClientPluginHost 0x44afd:$a2: NanoCore.ClientPlugin 0x7771d:$a2: NanoCore.ClientPlugin 0xaa13d:$a2: NanoCore.ClientPlugin 0x46a56:$b1: get_BuilderSettings 0x79676:$b1: get_BuilderSettings 0xac096:$b1: get_BuilderSettings 0x44959:$b2: ClientLoaderForm.resources 0x77579:$b2: ClientLoaderForm.resources 0xa9f99:$b2: ClientLoaderForm.resources 0x46176:$b3: PluginCommand 0x78d96:$b3: PluginCommand 0xab7b6:$b3: PluginCommand 0x44b2e:$b4: IClientAppHost 0x7774e:$b4: IClientAppHost 0xaa16e:$b4: IClientAppHost 0x4efae:$b5: GetBlockHash 0x81bce:$b5: GetBlockHash 0xb45ee:$b5: GetBlockHash
00000008.00000002.561827065.0000000003059000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x70e9:$a1: NanoCore.ClientPluginHost 0x70ac:$a2: NanoCore.ClientPlugin 0x7480:$b1: get_BuilderSettings 0x7137:$b4: IClientAppHost 0x74f1:$b6: AddHostEntry 0x7560:$b7: LogClientException 0x74d5:$b8: PipeExists 0x7124:$b9: IClientLoggingHost
00000000.00000002.356107386.0000000003E97000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x44bc5:$x1: NanoCore.ClientPluginHost 0x777e5:$x1: NanoCore.ClientPluginHost 0xaa205:$x1: NanoCore.ClientPluginHost 0x44c02:$x2: IClientNetworkHost 0x77822:$x2: IClientNetworkHost 0xaa242:$x2: IClientNetworkHost 0x48735:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7b355:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xadd75:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.356107386.0000000003E97000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.356107386.0000000003E97000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4492d:$a: NanoCore 0x4493d:$a: NanoCore 0x44b71:$a: NanoCore 0x44b85:$a: NanoCore 0x44bc5:$a: NanoCore 0x7754d:$a: NanoCore 0x7755d:$a: NanoCore 0x77791:$a: NanoCore 0x777a5:$a: NanoCore 0x777e5:$a: NanoCore 0xa9f6d:$a: NanoCore 0xa9f7d:$a: NanoCore 0xaa1b1:$a: NanoCore 0xaa1c5:$a: NanoCore 0xaa205:$a: NanoCore 0x4498c:$b: ClientPlugin 0x44b8e:$b: ClientPlugin 0x44bce:$b: ClientPlugin 0x775ac:$b: ClientPlugin 0x777ae:$b: ClientPlugin 0x777ee:$b: ClientPlugin
00000000.00000002.356107386.0000000003E97000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x44bc5:$a1: NanoCore.ClientPluginHost 0x777e5:$a1: NanoCore.ClientPluginHost 0xaa205:$a1: NanoCore.ClientPluginHost 0x44b85:$a2: NanoCore.ClientPlugin 0x777a5:$a2: NanoCore.ClientPlugin 0xaa1c5:$a2: NanoCore.ClientPlugin 0x46ade:$b1: get_BuilderSettings 0x796fe:$b1: get_BuilderSettings 0xac11e:$b1: get_BuilderSettings 0x449e1:$b2: ClientLoaderForm.resources 0x77601:$b2: ClientLoaderForm.resources 0xaa021:$b2: ClientLoaderForm.resources 0x461fe:$b3: PluginCommand 0x78e1e:$b3: PluginCommand 0xab83e:$b3: PluginCommand 0x44bb6:$b4: IClientAppHost 0x777d6:$b4: IClientAppHost 0xaa1f6:$b4: IClientAppHost 0x4f036:$b5: GetBlockHash 0x81c56:$b5: GetBlockHash 0xb4676:$b5: GetBlockHash
00000017.00000002.439566387.0000000002931000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000017.00000002.439566387.0000000002931000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x69367:$a: NanoCore 0x693c0:$a: NanoCore 0x693fd:$a: NanoCore 0x69476:$a: NanoCore 0x693c9:$b: ClientPlugin 0x69406:$b: ClientPlugin 0x69d04:$b: ClientPlugin 0x69d11:$b: ClientPlugin 0x5f4de:$e: KeepAlive 0x69851:$g: LogClientMessage 0x697d1:$i: get_Connected 0x5979d:$j: #=q 0x597cd:$j: #=q 0x59809:$j: #=q 0x59831:$j: #=q 0x59861:$j: #=q 0x59891:$j: #=q 0x598c1:$j: #=q 0x598f1:$j: #=q 0x5990d:$j: #=q 0x5993d:$j: #=q
00000017.00000002.439566387.0000000002931000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x693fd:$a1: NanoCore.ClientPluginHost 0x693c0:$a2: NanoCore.ClientPlugin 0x5acd7:$b1: get_BuilderSettings 0x69794:$b1: get_BuilderSettings 0x6944b:$b4: IClientAppHost 0x69805:$b6: AddHostEntry 0x5ac46:$b7: LogClientException 0x69874:$b7: LogClientException 0x697e9:$b8: PipeExists 0x69438:$b9: IClientLoggingHost
0000001C.00000002.476397038.0000000003191000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001C.00000002.476397038.0000000003191000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x69433:$a: NanoCore 0x6948c:$a: NanoCore 0x694c9:$a: NanoCore 0x69542:$a: NanoCore 0x69495:$b: ClientPlugin 0x694d2:$b: ClientPlugin 0x69dd0:$b: ClientPlugin 0x69ddd:$b: ClientPlugin 0x5f5aa:$e: KeepAlive 0x6991d:$g: LogClientMessage 0x6989d:$i: get_Connected 0x59869:$j: #=q 0x59899:$j: #=q 0x598d5:$j: #=q 0x598fd:$j: #=q 0x5992d:$j: #=q 0x5995d:$j: #=q 0x5998d:$j: #=q 0x599bd:$j: #=q 0x599d9:$j: #=q 0x59a09:$j: #=q
0000001C.00000002.476397038.0000000003191000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x694c9:$a1: NanoCore.ClientPluginHost 0x6948c:$a2: NanoCore.ClientPlugin 0x5ada3:$b1: get_BuilderSettings 0x69860:$b1: get_BuilderSettings 0x69517:$b4: IClientAppHost 0x698d1:$b6: AddHostEntry 0x5ad12:$b7: LogClientException 0x69940:$b7: LogClientException 0x698b5:$b8: PipeExists 0x69504:$b9: IClientLoggingHost
00000007.00000002.463703676.0000000003F1F000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x457b5:$x1: NanoCore.ClientPluginHost 0x783d5:$x1: NanoCore.ClientPluginHost 0xaadf5:$x1: NanoCore.ClientPluginHost 0x457f2:$x2: IClientNetworkHost 0x78412:$x2: IClientNetworkHost 0xaae32:$x2: IClientNetworkHost 0x49325:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7bf45:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xae965:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000007.00000002.463703676.0000000003F1F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.463703676.0000000003F1F000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4551d:$a: NanoCore 0x4552d:$a: NanoCore 0x45761:$a: NanoCore 0x45775:$a: NanoCore 0x457b5:$a: NanoCore 0x7813d:$a: NanoCore 0x7814d:$a: NanoCore 0x78381:$a: NanoCore 0x78395:$a: NanoCore 0x783d5:$a: NanoCore 0xaab5d:$a: NanoCore 0xaab6d:$a: NanoCore 0xaada1:$a: NanoCore 0xaadb5:$a: NanoCore 0xaadf5:$a: NanoCore 0x4557c:$b: ClientPlugin 0x4577e:$b: ClientPlugin 0x457be:$b: ClientPlugin 0x7819c:$b: ClientPlugin 0x7839e:$b: ClientPlugin 0x783de:$b: ClientPlugin
00000007.00000002.463703676.0000000003F1F000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x457b5:$a1: NanoCore.ClientPluginHost 0x783d5:$a1: NanoCore.ClientPluginHost 0xaadf5:$a1: NanoCore.ClientPluginHost 0x45775:$a2: NanoCore.ClientPlugin 0x78395:$a2: NanoCore.ClientPlugin 0xaadb5:$a2: NanoCore.ClientPlugin 0x476ce:$b1: get_BuilderSettings 0x7a2ee:$b1: get_BuilderSettings 0xacd0e:$b1: get_BuilderSettings 0x455d1:$b2: ClientLoaderForm.resources 0x781f1:$b2: ClientLoaderForm.resources 0xaac11:$b2: ClientLoaderForm.resources 0x46dee:$b3: PluginCommand 0x79a0e:$b3: PluginCommand 0xac42e:$b3: PluginCommand 0x457a6:$b4: IClientAppHost 0x783c6:$b4: IClientAppHost 0xaade6:$b4: IClientAppHost 0x4fc26:$b5: GetBlockHash 0x82846:$b5: GetBlockHash 0xb5266:$b5: GetBlockHash
00000007.00000002.454001802.0000000002AAF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.350708235.0000000002831000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: gNrfORqjCV.exe PID: 5240	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x2536a3:$x1: NanoCore.ClientPluginHost 0x2536e0:$x2: IClientNetworkHost 0x2571c8:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x262246:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x26e2c0:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x27967c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: gNrfORqjCV.exe PID: 5240	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: gNrfORqjCV.exe PID: 5240	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: gNrfORqjCV.exe PID: 5240	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x253370:$a: NanoCore 0x253380:$a: NanoCore 0x25343f:$a: NanoCore 0x25344e:$a: NanoCore 0x25364f:$a: NanoCore 0x253663:$a: NanoCore 0x2536a3:$a: NanoCore 0x25e8b0:$a: NanoCore 0x25e8c2:$a: NanoCore 0x25e8fe:$a: NanoCore 0x26a92a:$a: NanoCore 0x26a93c:$a: NanoCore 0x26a978:$a: NanoCore 0x275ce6:$a: NanoCore 0x275cf8:$a: NanoCore 0x275d34:$a: NanoCore 0x2533cf:$b: ClientPlugin 0x253498:$b: ClientPlugin 0x25366c:$b: ClientPlugin 0x2536ac:$b: ClientPlugin 0x25e8cb:$b: ClientPlugin
Process Memory Space: gNrfORqjCV.exe PID: 5240	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2536a3:$a1: NanoCore.ClientPluginHost 0x253663:$a2: NanoCore.ClientPlugin 0x255571:$b1: get_BuilderSettings 0x253424:$b2: ClientLoaderForm.resources 0x254c91:$b3: PluginCommand 0x253694:$b4: IClientAppHost 0x25dabc:$b5: GetBlockHash 0x255bc9:$b6: AddHostEntry 0x260ce0:$b6: AddHostEntry 0x26cd5a:$b6: AddHostEntry 0x278116:$b6: AddHostEntry 0x2598bc:$b7: LogClientException 0x264821:$b7: LogClientException 0x27089b:$b7: LogClientException 0x27bc57:$b7: LogClientException 0x255b36:$b8: PipeExists 0x260c54:$b8: PipeExists 0x26ccce:$b8: PipeExists 0x27808a:$b8: PipeExists 0x2536cd:$b9: IClientLoggingHost
Process Memory Space: GzGmImHFmOq.exe PID: 5000	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x3d74a:$x1: NanoCore.ClientPluginHost 0x3d787:$x2: IClientNetworkHost 0x4126f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4c2ed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x58367:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x63723:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: GzGmImHFmOq.exe PID: 5000	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: GzGmImHFmOq.exe PID: 5000	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: GzGmImHFmOq.exe PID: 5000	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3d417:$a: NanoCore 0x3d427:$a: NanoCore 0x3d4e6:$a: NanoCore 0x3d4f5:$a: NanoCore 0x3d6f6:$a: NanoCore 0x3d70a:$a: NanoCore 0x3d74a:$a: NanoCore 0x48957:$a: NanoCore 0x48969:$a: NanoCore 0x489a5:$a: NanoCore 0x549d1:$a: NanoCore 0x549e3:$a: NanoCore 0x54a1f:$a: NanoCore 0x5fd8d:$a: NanoCore 0x5fd9f:$a: NanoCore 0x5fddb:$a: NanoCore 0x3d476:$b: ClientPlugin 0x3d53f:$b: ClientPlugin 0x3d713:$b: ClientPlugin 0x3d753:$b: ClientPlugin 0x48972:$b: ClientPlugin
Process Memory Space: GzGmImHFmOq.exe PID: 5000	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3d74a:$a1: NanoCore.ClientPluginHost 0x3d70a:$a2: NanoCore.ClientPlugin 0x3f618:$b1: get_BuilderSettings 0x3d4cb:$b2: ClientLoaderForm.resources 0x3ed38:$b3: PluginCommand 0x3d73b:$b4: IClientAppHost 0x47b63:$b5: GetBlockHash 0x3fc70:$b6: AddHostEntry 0x4ad87:$b6: AddHostEntry 0x56e01:$b6: AddHostEntry 0x621bd:$b6: AddHostEntry 0x43963:$b7: LogClientException 0x4e8c8:$b7: LogClientException 0x5a942:$b7: LogClientException 0x65cfe:$b7: LogClientException 0x3fbdd:$b8: PipeExists 0x4acfb:$b8: PipeExists 0x56d75:$b8: PipeExists 0x62131:$b8: PipeExists 0x3d774:$b9: IClientLoggingHost
Process Memory Space: gNrfORqjCV.exe PID: 5320	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2f882:$a1: NanoCore.ClientPluginHost 0x2f845:$a2: NanoCore.ClientPlugin 0x2fbfc:$b1: get_BuilderSettings 0x2f8d0:$b4: IClientAppHost 0x2fc6d:$b6: AddHostEntry 0x2fcdc:$b7: LogClientException 0x2fc51:$b8: PipeExists 0x2f8bd:$b9: IClientLoggingHost
Process Memory Space: gNrfORqjCV.exe PID: 5248	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1278f:$x1: NanoCore.ClientPluginHost 0x127cc:$x2: IClientNetworkHost 0x162b4:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x21332:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2d3ac:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x38768:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: gNrfORqjCV.exe PID: 5248	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: gNrfORqjCV.exe PID: 5248	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1245c:$a: NanoCore 0x1246c:$a: NanoCore 0x1252b:$a: NanoCore 0x1253a:$a: NanoCore 0x1273b:$a: NanoCore 0x1274f:$a: NanoCore 0x1278f:$a: NanoCore 0x1d99c:$a: NanoCore 0x1d9ae:$a: NanoCore 0x1d9ea:$a: NanoCore 0x29a16:$a: NanoCore 0x29a28:$a: NanoCore 0x29a64:$a: NanoCore 0x34dd2:$a: NanoCore 0x34de4:$a: NanoCore 0x34e20:$a: NanoCore 0x124bb:$b: ClientPlugin 0x12584:$b: ClientPlugin 0x12758:$b: ClientPlugin 0x12798:$b: ClientPlugin 0x1d9b7:$b: ClientPlugin
Process Memory Space: gNrfORqjCV.exe PID: 5248	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1278f:$a1: NanoCore.ClientPluginHost 0x1274f:$a2: NanoCore.ClientPlugin 0x1465d:$b1: get_BuilderSettings 0x12510:$b2: ClientLoaderForm.resources 0x13d7d:$b3: PluginCommand 0x12780:$b4: IClientAppHost 0x1cba8:$b5: GetBlockHash 0x14cb5:$b6: AddHostEntry 0x1fdcc:$b6: AddHostEntry 0x2be46:$b6: AddHostEntry 0x37202:$b6: AddHostEntry 0x189a8:$b7: LogClientException 0x2390d:$b7: LogClientException 0x2f987:$b7: LogClientException 0x3ad43:$b7: LogClientException 0x14c22:$b8: PipeExists 0x1fd40:$b8: PipeExists 0x2bdba:$b8: PipeExists 0x37176:$b8: PipeExists 0x127b9:$b9: IClientLoggingHost
Process Memory Space: dhcpmon.exe PID: 4544	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: gNrfORqjCV.exe PID: 1324	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf30:$x1: NanoCore.ClientPluginHost 0x1a15d:$x1: NanoCore.ClientPluginHost 0x42fad:$x1: NanoCore.ClientPluginHost 0xf6d:$x2: IClientNetworkHost 0x1a177:$x2: IClientNetworkHost 0x42fc7:$x2: IClientNetworkHost 0x4a5e:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xfae4:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: gNrfORqjCV.exe PID: 1324	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: gNrfORqjCV.exe PID: 1324	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xbfd:$a: NanoCore 0xc0d:$a: NanoCore 0xccc:$a: NanoCore 0xcdb:$a: NanoCore 0xedc:$a: NanoCore 0xef0:$a: NanoCore 0xf30:$a: NanoCore 0xc14e:$a: NanoCore 0xc160:$a: NanoCore 0xc19c:$a: NanoCore 0x1a0c7:$a: NanoCore 0x1a120:$a: NanoCore 0x1a15d:$a: NanoCore 0x1a1d6:$a: NanoCore 0x1aa8f:$a: NanoCore 0x1aae2:$a: NanoCore 0x1ab1b:$a: NanoCore 0x1ab8e:$a: NanoCore 0x22160:$a: NanoCore 0x22173:$a: NanoCore 0x221a5:$a: NanoCore
Process Memory Space: gNrfORqjCV.exe PID: 1324	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf30:$a1: NanoCore.ClientPluginHost 0x1a15d:$a1: NanoCore.ClientPluginHost 0x42fad:$a1: NanoCore.ClientPluginHost 0xef0:$a2: NanoCore.ClientPlugin 0x1a120:$a2: NanoCore.ClientPlugin 0x42f70:$a2: NanoCore.ClientPlugin 0x2e07:$b1: get_BuilderSettings 0x1a4d7:$b1: get_BuilderSettings 0x3c6f5:$b1: get_BuilderSettings 0xcb1:$b2: ClientLoaderForm.resources 0x2527:$b3: PluginCommand 0xf21:$b4: IClientAppHost 0x1a1ab:$b4: IClientAppHost 0x42ffb:$b4: IClientAppHost 0xb35a:$b5: GetBlockHash 0x345f:$b6: AddHostEntry 0xe57e:$b6: AddHostEntry 0x1a548:$b6: AddHostEntry 0x4330e:$b6: AddHostEntry 0x7152:$b7: LogClientException 0x120bf:$b7: LogClientException
Process Memory Space: GzGmImHFmOq.exe PID: 5544	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: GzGmImHFmOq.exe PID: 5544	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x38c3:$a: NanoCore 0x391e:$a: NanoCore 0x3992:$a: NanoCore 0x18e79:$a: NanoCore 0x18ed2:$a: NanoCore 0x18f0f:$a: NanoCore 0x18f88:$a: NanoCore 0x19716:$a: NanoCore 0x19769:$a: NanoCore 0x197a2:$a: NanoCore 0x19815:$a: NanoCore 0x1a323:$a: NanoCore 0x141c9:$b: ClientPlugin 0x1420a:$b: ClientPlugin 0x18edb:$b: ClientPlugin 0x18f18:$b: ClientPlugin 0x196c6:$b: ClientPlugin 0x196d3:$b: ClientPlugin 0x19772:$b: ClientPlugin 0x197ab:$b: ClientPlugin 0x1a01a:$b: ClientPlugin
Process Memory Space: GzGmImHFmOq.exe PID: 5544	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x18f0f:$a1: NanoCore.ClientPluginHost 0x18ed2:$a2: NanoCore.ClientPlugin 0x12651:$b1: get_BuilderSettings 0x18f5d:$b4: IClientAppHost 0x19270:$b6: AddHostEntry 0x125c0:$b7: LogClientException 0x19254:$b8: PipeExists 0x18f4a:$b9: IClientLoggingHost
Click to see the 57 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
23.2.gNrfORqjCV.exe.398062c.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
23.2.gNrfORqjCV.exe.398062c.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
23.2.gNrfORqjCV.exe.398062c.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
23.2.gNrfORqjCV.exe.398062c.4.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
23.2.gNrfORqjCV.exe.398062c.4.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
8.2.gNrfORqjCV.exe.5a74629.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
8.2.gNrfORqjCV.exe.5a74629.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
8.2.gNrfORqjCV.exe.5a74629.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.gNrfORqjCV.exe.5a74629.5.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0xb165:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin 0xb158:$s1: ClientPlugin 0x10179:$s6: get_ClientSettings
8.2.gNrfORqjCV.exe.5a74629.5.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost
0.2.gNrfORqjCV.exe.3efe658.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.gNrfORqjCV.exe.3efe658.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.gNrfORqjCV.exe.3efe658.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.gNrfORqjCV.exe.3efe658.6.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.gNrfORqjCV.exe.3efe658.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.gNrfORqjCV.exe.3efe658.6.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
0.2.gNrfORqjCV.exe.29cf1b4.4.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.gNrfORqjCV.exe.29cf1b4.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x8016:$v1: SbieDll.dll 0x8030:$v2: USER 0x803c:$v3: SANDBOX 0x804e:$v4: VIRUS 0x809e:$v4: VIRUS 0x805c:$v5: MALWARE 0x806e:$v6: SCHMIDTI 0x8082:$v7: CURRENTUSER
7.2.GzGmImHFmOq.exe.3f1fc08.14.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x44bad:$x1: NanoCore.ClientPluginHost 0x777cd:$x1: NanoCore.ClientPluginHost 0xaa1ed:$x1: NanoCore.ClientPluginHost 0x44bea:$x2: IClientNetworkHost 0x7780a:$x2: IClientNetworkHost 0xaa22a:$x2: IClientNetworkHost 0x4871d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7b33d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xadd5d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.GzGmImHFmOq.exe.3f1fc08.14.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.GzGmImHFmOq.exe.3f1fc08.14.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x44915:$x1: NanoCore Client 0x44925:$x1: NanoCore Client 0x77535:$x1: NanoCore Client 0x77545:$x1: NanoCore Client 0xa9f55:$x1: NanoCore Client 0xa9f65:$x1: NanoCore Client 0x44b6d:$x2: NanoCore.ClientPlugin 0x7778d:$x2: NanoCore.ClientPlugin 0xaa1ad:$x2: NanoCore.ClientPlugin 0x44bad:$x3: NanoCore.ClientPluginHost 0x777cd:$x3: NanoCore.ClientPluginHost 0xaa1ed:$x3: NanoCore.ClientPluginHost 0x44b62:$i1: IClientApp 0x77782:$i1: IClientApp 0xaa1a2:$i1: IClientApp 0x44b83:$i2: IClientData 0x777a3:$i2: IClientData 0xaa1c3:$i2: IClientData 0x44b8f:$i3: IClientNetwork 0x777af:$i3: IClientNetwork 0xaa1cf:$i3: IClientNetwork
7.2.GzGmImHFmOq.exe.3f1fc08.14.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x44915:$a: NanoCore 0x44925:$a: NanoCore 0x44b59:$a: NanoCore 0x44b6d:$a: NanoCore 0x44bad:$a: NanoCore 0x77535:$a: NanoCore 0x77545:$a: NanoCore 0x77779:$a: NanoCore 0x7778d:$a: NanoCore 0x777cd:$a: NanoCore 0xa9f55:$a: NanoCore 0xa9f65:$a: NanoCore 0xaa199:$a: NanoCore 0xaa1ad:$a: NanoCore 0xaa1ed:$a: NanoCore 0x44974:$b: ClientPlugin 0x44b76:$b: ClientPlugin 0x44bb6:$b: ClientPlugin 0x77594:$b: ClientPlugin 0x77796:$b: ClientPlugin 0x777d6:$b: ClientPlugin
7.2.GzGmImHFmOq.exe.3f1fc08.14.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x44bad:$a1: NanoCore.ClientPluginHost 0x777cd:$a1: NanoCore.ClientPluginHost 0xaa1ed:$a1: NanoCore.ClientPluginHost 0x44b6d:$a2: NanoCore.ClientPlugin 0x7778d:$a2: NanoCore.ClientPlugin 0xaa1ad:$a2: NanoCore.ClientPlugin 0x46ac6:$b1: get_BuilderSettings 0x796e6:$b1: get_BuilderSettings 0xac106:$b1: get_BuilderSettings 0x449c9:$b2: ClientLoaderForm.resources 0x775e9:$b2: ClientLoaderForm.resources 0xaa009:$b2: ClientLoaderForm.resources 0x461e6:$b3: PluginCommand 0x78e06:$b3: PluginCommand 0xab826:$b3: PluginCommand 0x44b9e:$b4: IClientAppHost 0x777be:$b4: IClientAppHost 0xaa1de:$b4: IClientAppHost 0x4f01e:$b5: GetBlockHash 0x81c3e:$b5: GetBlockHash 0xb465e:$b5: GetBlockHash
14.2.gNrfORqjCV.exe.431b9b0.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.gNrfORqjCV.exe.431b9b0.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
14.2.gNrfORqjCV.exe.434e5d0.11.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.gNrfORqjCV.exe.434e5d0.11.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x42925:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x42bad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x441e6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x441da:$s2: FileCommand 0x1266b:$s3: PipeExists 0x4508b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ae42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x42bd7:$s5: IClientLoggingHost
14.2.gNrfORqjCV.exe.434e5d0.11.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.gNrfORqjCV.exe.434e5d0.11.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x42915:$x1: NanoCore Client 0x42925:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x42b6d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x42bad:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x42b62:$i1: IClientApp 0x10163:$i2: IClientData 0x42b83:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x42b8f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x42b9e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x42bc7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x42bd7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost
14.2.gNrfORqjCV.exe.434e5d0.11.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x434a2:$d: DESCrypto 0x1844e:$e: KeepAlive
14.2.gNrfORqjCV.exe.434e5d0.11.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x42bad:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x42b6d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0x44ac6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x429c9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x441e6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x42b9e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x4d01e:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x4511e:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x48e11:$b7: LogClientException 0x1266b:$b8: PipeExists 0x4508b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
14.2.gNrfORqjCV.exe.431b9b0.10.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.gNrfORqjCV.exe.431b9b0.10.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
14.2.gNrfORqjCV.exe.431b9b0.10.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
14.2.gNrfORqjCV.exe.431b9b0.10.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
28.2.GzGmImHFmOq.exe.31f9654.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
28.2.GzGmImHFmOq.exe.31f9654.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
28.2.GzGmImHFmOq.exe.31f9654.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
28.2.GzGmImHFmOq.exe.31f9654.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
23.2.gNrfORqjCV.exe.397b7f6.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5cf:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d5fc:$x2: IClientNetworkHost
23.2.gNrfORqjCV.exe.397b7f6.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5cf:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6aa:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d5e9:$s5: IClientLoggingHost
23.2.gNrfORqjCV.exe.397b7f6.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
23.2.gNrfORqjCV.exe.397b7f6.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x145ae:$x2: NanoCore.ClientPlugin 0x2d59a:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x145e3:$x3: NanoCore.ClientPluginHost 0x2d5cf:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0x145a2:$i2: IClientData 0x2d58e:$i2: IClientData 0xe29:$i3: IClientNetwork 0x145c4:$i3: IClientNetwork 0x2d5b0:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0x145d3:$i5: IClientDataHost 0x2d5bf:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0x145fd:$i6: IClientLoggingHost 0x2d5e9:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost
23.2.gNrfORqjCV.exe.397b7f6.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d585:$a: NanoCore 0x2d59a:$a: NanoCore 0x2d5cf:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d341:$b: ClientPlugin 0x2d35c:$b: ClientPlugin
23.2.gNrfORqjCV.exe.397b7f6.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0x145e3:$a1: NanoCore.ClientPluginHost 0x2d5cf:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x145ae:$a2: NanoCore.ClientPlugin 0x2d59a:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0x19529:$b1: get_BuilderSettings 0x32515:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x19498:$b7: LogClientException 0x32484:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost 0x145fd:$b9: IClientLoggingHost 0x2d5e9:$b9: IClientLoggingHost
23.2.gNrfORqjCV.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
23.2.gNrfORqjCV.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
23.2.gNrfORqjCV.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
23.2.gNrfORqjCV.exe.400000.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
23.2.gNrfORqjCV.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
23.2.gNrfORqjCV.exe.400000.0.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
0.2.gNrfORqjCV.exe.29ae42c.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.gNrfORqjCV.exe.29ae42c.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x28d9e:$v1: SbieDll.dll 0x28db8:$v2: USER 0x28dc4:$v3: SANDBOX 0x28dd6:$v4: VIRUS 0x28e26:$v4: VIRUS 0x28de4:$v5: MALWARE 0x28df6:$v6: SCHMIDTI 0x28e0a:$v7: CURRENTUSER
0.2.gNrfORqjCV.exe.3ecba38.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.gNrfORqjCV.exe.3ecba38.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.gNrfORqjCV.exe.3ecba38.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.gNrfORqjCV.exe.3ecba38.7.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.gNrfORqjCV.exe.3ecba38.7.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.gNrfORqjCV.exe.3ecba38.7.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
0.2.gNrfORqjCV.exe.3efe658.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.gNrfORqjCV.exe.3efe658.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x42925:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x42bad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x441e6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x441da:$s2: FileCommand 0x1266b:$s3: PipeExists 0x4508b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ae42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x42bd7:$s5: IClientLoggingHost
0.2.gNrfORqjCV.exe.3efe658.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.gNrfORqjCV.exe.3efe658.6.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x42915:$x1: NanoCore Client 0x42925:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x42b6d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x42bad:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x42b62:$i1: IClientApp 0x10163:$i2: IClientData 0x42b83:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x42b8f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x42b9e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x42bc7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x42bd7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost
0.2.gNrfORqjCV.exe.3efe658.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x434a2:$d: DESCrypto 0x1844e:$e: KeepAlive
0.2.gNrfORqjCV.exe.3efe658.6.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x42bad:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x42b6d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0x44ac6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x429c9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x441e6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x42b9e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x4d01e:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x4511e:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x48e11:$b7: LogClientException 0x1266b:$b8: PipeExists 0x4508b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
8.2.gNrfORqjCV.exe.305f274.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
8.2.gNrfORqjCV.exe.305f274.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
8.2.gNrfORqjCV.exe.305f274.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
8.2.gNrfORqjCV.exe.305f274.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
8.2.gNrfORqjCV.exe.5a70000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
8.2.gNrfORqjCV.exe.5a70000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
8.2.gNrfORqjCV.exe.5a70000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.gNrfORqjCV.exe.5a70000.4.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
8.2.gNrfORqjCV.exe.5a70000.4.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
8.2.gNrfORqjCV.exe.5a70000.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
8.2.gNrfORqjCV.exe.5a70000.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
8.2.gNrfORqjCV.exe.5a70000.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.gNrfORqjCV.exe.5a70000.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
8.2.gNrfORqjCV.exe.5a70000.4.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
23.2.gNrfORqjCV.exe.3984c55.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x1: NanoCore.ClientPluginHost 0x24170:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x2419d:$x2: IClientNetworkHost
23.2.gNrfORqjCV.exe.3984c55.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x2: NanoCore.ClientPluginHost 0x24170:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2524b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x2418a:$s5: IClientLoggingHost
23.2.gNrfORqjCV.exe.3984c55.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
23.2.gNrfORqjCV.exe.3984c55.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0x2413b:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0x24170:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0x2412f:$i2: IClientData 0xb165:$i3: IClientNetwork 0x24151:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0x24160:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0x2418a:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0x2419d:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0x241b0:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0x241be:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0x241da:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin
23.2.gNrfORqjCV.exe.3984c55.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0x24170:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x2413b:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x290b6:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0x29025:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost 0x2418a:$b9: IClientLoggingHost
7.2.GzGmImHFmOq.exe.3f54628.13.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.GzGmImHFmOq.exe.3f54628.13.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
7.2.GzGmImHFmOq.exe.3f54628.13.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.GzGmImHFmOq.exe.3f54628.13.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
7.2.GzGmImHFmOq.exe.3f54628.13.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
7.2.GzGmImHFmOq.exe.3f54628.13.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
7.2.GzGmImHFmOq.exe.3f87248.11.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.GzGmImHFmOq.exe.3f87248.11.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
7.2.GzGmImHFmOq.exe.3f87248.11.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.GzGmImHFmOq.exe.3f87248.11.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
7.2.GzGmImHFmOq.exe.3f87248.11.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
7.2.GzGmImHFmOq.exe.3f87248.11.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
7.2.GzGmImHFmOq.exe.3f87248.11.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.GzGmImHFmOq.exe.3f87248.11.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x42925:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x42bad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x441e6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x441da:$s2: FileCommand 0x1266b:$s3: PipeExists 0x4508b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ae42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x42bd7:$s5: IClientLoggingHost
7.2.GzGmImHFmOq.exe.3f87248.11.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.GzGmImHFmOq.exe.3f87248.11.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x42915:$x1: NanoCore Client 0x42925:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x42b6d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x42bad:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x42b62:$i1: IClientApp 0x10163:$i2: IClientData 0x42b83:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x42b8f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x42b9e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x42bc7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x42bd7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost
7.2.GzGmImHFmOq.exe.3f87248.11.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x434a2:$d: DESCrypto 0x1844e:$e: KeepAlive
7.2.GzGmImHFmOq.exe.3f87248.11.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x42bad:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x42b6d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0x44ac6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x429c9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x441e6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x42b9e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x4d01e:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x4511e:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x48e11:$b7: LogClientException 0x1266b:$b8: PipeExists 0x4508b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
8.2.gNrfORqjCV.exe.5810000.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
8.2.gNrfORqjCV.exe.5810000.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
8.2.gNrfORqjCV.exe.5810000.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
8.2.gNrfORqjCV.exe.5810000.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
14.2.gNrfORqjCV.exe.434e5d0.11.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.gNrfORqjCV.exe.434e5d0.11.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
14.2.gNrfORqjCV.exe.434e5d0.11.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.gNrfORqjCV.exe.434e5d0.11.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
14.2.gNrfORqjCV.exe.434e5d0.11.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
14.2.gNrfORqjCV.exe.434e5d0.11.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
23.2.gNrfORqjCV.exe.2999588.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
23.2.gNrfORqjCV.exe.2999588.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
23.2.gNrfORqjCV.exe.2999588.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
23.2.gNrfORqjCV.exe.2999588.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
23.2.gNrfORqjCV.exe.398062c.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28799:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287c6:$x2: IClientNetworkHost
23.2.gNrfORqjCV.exe.398062c.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28799:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29874:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287b3:$s5: IClientLoggingHost
23.2.gNrfORqjCV.exe.398062c.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
23.2.gNrfORqjCV.exe.398062c.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0x28764:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0x28799:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0x28758:$i2: IClientData 0xf78e:$i3: IClientNetwork 0x2877a:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0x28789:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0x287b3:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0x287c6:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0x287d9:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0x287e7:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0x28803:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin
23.2.gNrfORqjCV.exe.398062c.4.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0x28799:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x28764:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x2d6df:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0x2d64e:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost 0x287b3:$b9: IClientLoggingHost
0.2.gNrfORqjCV.exe.3ecba38.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x42dad:$x1: NanoCore.ClientPluginHost 0x757cd:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42dea:$x2: IClientNetworkHost 0x7580a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4691d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7933d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.gNrfORqjCV.exe.3ecba38.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.gNrfORqjCV.exe.3ecba38.7.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x42b15:$x1: NanoCore Client 0x42b25:$x1: NanoCore Client 0x75535:$x1: NanoCore Client 0x75545:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x42d6d:$x2: NanoCore.ClientPlugin 0x7578d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x42dad:$x3: NanoCore.ClientPluginHost 0x757cd:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x42d62:$i1: IClientApp 0x75782:$i1: IClientApp 0x10163:$i2: IClientData 0x42d83:$i2: IClientData 0x757a3:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x42d8f:$i3: IClientNetwork 0x757af:$i3: IClientNetwork
0.2.gNrfORqjCV.exe.3ecba38.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42b15:$a: NanoCore 0x42b25:$a: NanoCore 0x42d59:$a: NanoCore 0x42d6d:$a: NanoCore 0x42dad:$a: NanoCore 0x75535:$a: NanoCore 0x75545:$a: NanoCore 0x75779:$a: NanoCore 0x7578d:$a: NanoCore 0x757cd:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42b74:$b: ClientPlugin 0x42d76:$b: ClientPlugin 0x42db6:$b: ClientPlugin
0.2.gNrfORqjCV.exe.3ecba38.7.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x42dad:$a1: NanoCore.ClientPluginHost 0x757cd:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x42d6d:$a2: NanoCore.ClientPlugin 0x7578d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0x44cc6:$b1: get_BuilderSettings 0x776e6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x42bc9:$b2: ClientLoaderForm.resources 0x755e9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x443e6:$b3: PluginCommand 0x76e06:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x42d9e:$b4: IClientAppHost 0x757be:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x4d21e:$b5: GetBlockHash 0x7fc3e:$b5: GetBlockHash
7.2.GzGmImHFmOq.exe.3f54628.13.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x42dad:$x1: NanoCore.ClientPluginHost 0x757cd:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42dea:$x2: IClientNetworkHost 0x7580a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4691d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7933d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.GzGmImHFmOq.exe.3f54628.13.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.GzGmImHFmOq.exe.3f54628.13.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x42b15:$x1: NanoCore Client 0x42b25:$x1: NanoCore Client 0x75535:$x1: NanoCore Client 0x75545:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x42d6d:$x2: NanoCore.ClientPlugin 0x7578d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x42dad:$x3: NanoCore.ClientPluginHost 0x757cd:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x42d62:$i1: IClientApp 0x75782:$i1: IClientApp 0x10163:$i2: IClientData 0x42d83:$i2: IClientData 0x757a3:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x42d8f:$i3: IClientNetwork 0x757af:$i3: IClientNetwork
7.2.GzGmImHFmOq.exe.3f54628.13.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42b15:$a: NanoCore 0x42b25:$a: NanoCore 0x42d59:$a: NanoCore 0x42d6d:$a: NanoCore 0x42dad:$a: NanoCore 0x75535:$a: NanoCore 0x75545:$a: NanoCore 0x75779:$a: NanoCore 0x7578d:$a: NanoCore 0x757cd:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42b74:$b: ClientPlugin 0x42d76:$b: ClientPlugin 0x42db6:$b: ClientPlugin
7.2.GzGmImHFmOq.exe.3f54628.13.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x42dad:$a1: NanoCore.ClientPluginHost 0x757cd:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x42d6d:$a2: NanoCore.ClientPlugin 0x7578d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0x44cc6:$b1: get_BuilderSettings 0x776e6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x42bc9:$b2: ClientLoaderForm.resources 0x755e9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x443e6:$b3: PluginCommand 0x76e06:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x42d9e:$b4: IClientAppHost 0x757be:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x4d21e:$b5: GetBlockHash 0x7fc3e:$b5: GetBlockHash
14.2.gNrfORqjCV.exe.431b9b0.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x42dad:$x1: NanoCore.ClientPluginHost 0x757cd:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42dea:$x2: IClientNetworkHost 0x7580a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4691d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7933d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.gNrfORqjCV.exe.431b9b0.10.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.gNrfORqjCV.exe.431b9b0.10.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x42b15:$x1: NanoCore Client 0x42b25:$x1: NanoCore Client 0x75535:$x1: NanoCore Client 0x75545:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x42d6d:$x2: NanoCore.ClientPlugin 0x7578d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x42dad:$x3: NanoCore.ClientPluginHost 0x757cd:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x42d62:$i1: IClientApp 0x75782:$i1: IClientApp 0x10163:$i2: IClientData 0x42d83:$i2: IClientData 0x757a3:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x42d8f:$i3: IClientNetwork 0x757af:$i3: IClientNetwork
14.2.gNrfORqjCV.exe.431b9b0.10.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42b15:$a: NanoCore 0x42b25:$a: NanoCore 0x42d59:$a: NanoCore 0x42d6d:$a: NanoCore 0x42dad:$a: NanoCore 0x75535:$a: NanoCore 0x75545:$a: NanoCore 0x75779:$a: NanoCore 0x7578d:$a: NanoCore 0x757cd:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42b74:$b: ClientPlugin 0x42d76:$b: ClientPlugin 0x42db6:$b: ClientPlugin
14.2.gNrfORqjCV.exe.431b9b0.10.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x42dad:$a1: NanoCore.ClientPluginHost 0x757cd:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x42d6d:$a2: NanoCore.ClientPlugin 0x7578d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0x44cc6:$b1: get_BuilderSettings 0x776e6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x42bc9:$b2: ClientLoaderForm.resources 0x755e9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x443e6:$b3: PluginCommand 0x76e06:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x42d9e:$b4: IClientAppHost 0x757be:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x4d21e:$b5: GetBlockHash 0x7fc3e:$b5: GetBlockHash
15.2.dhcpmon.exe.2f69510.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
15.2.dhcpmon.exe.2f69510.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x1da37e:$v1: SbieDll.dll 0x1da398:$v2: USER 0x1da3a4:$v3: SANDBOX 0x1da3b6:$v4: VIRUS 0x1da406:$v4: VIRUS 0x1da3c4:$v5: MALWARE 0x1da3d6:$v6: SCHMIDTI 0x1da3ea:$v7: CURRENTUSER
15.2.dhcpmon.exe.2f664f8.0.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
15.2.dhcpmon.exe.2f664f8.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x1dd396:$v1: SbieDll.dll 0x1dd3b0:$v2: USER 0x1dd3bc:$v3: SANDBOX 0x1dd3ce:$v4: VIRUS 0x1dd41e:$v4: VIRUS 0x1dd3dc:$v5: MALWARE 0x1dd3ee:$v6: SCHMIDTI 0x1dd402:$v7: CURRENTUSER
15.2.dhcpmon.exe.2f67504.3.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
15.2.dhcpmon.exe.2f67504.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x1dc38a:$v1: SbieDll.dll 0x1dc3a4:$v2: USER 0x1dc3b0:$v3: SANDBOX 0x1dc3c2:$v4: VIRUS 0x1dc412:$v4: VIRUS 0x1dc3d0:$v5: MALWARE 0x1dc3e2:$v6: SCHMIDTI 0x1dc3f6:$v7: CURRENTUSER
Click to see the 137 entries

Sigma Signatures

AV Detection

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\gNrfORqjCV.exe, ProcessId: 5320, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\gNrfORqjCV.exe, ProcessId: 5320, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GzGmImHFmOq" /XML "C:\Users\user\AppData\Local\Temp\tmp78F4.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GzGmImHFmOq" /XML "C:\Users\user\AppData\Local\Temp\tmp78F4.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\gNrfORqjCV.exe, ParentImage: C:\Users\user\Desktop\gNrfORqjCV.exe, ParentProcessId: 5240, ParentProcessName: gNrfORqjCV.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GzGmImHFmOq" /XML "C:\Users\user\AppData\Local\Temp\tmp78F4.tmp, ProcessId: 5936, ProcessName: schtasks.exe

Stealing of Sensitive Information

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\gNrfORqjCV.exe, ProcessId: 5320, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Remote Access Functionality

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\gNrfORqjCV.exe, ProcessId: 5320, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: gNrfORqjCV.exe	ReversingLabs: Detection: 64%
Source: gNrfORqjCV.exe	Virustotal: Detection: 58%			Perma Link

Antivirus detection for URL or domain

Source: nonoise.duckdns.org

Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	ReversingLabs: Detection: 64%
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	ReversingLabs: Detection: 64%

Yara detected Nanocore RAT

Source: Yara match	File source: 23.2.gNrfORqjCV.exe.398062c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.gNrfORqjCV.exe.5a74629.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gNrfORqjCV.exe.3efe658.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.GzGmImHFmOq.exe.3f1fc08.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.gNrfORqjCV.exe.434e5d0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.gNrfORqjCV.exe.431b9b0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.gNrfORqjCV.exe.397b7f6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.gNrfORqjCV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gNrfORqjCV.exe.3ecba38.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gNrfORqjCV.exe.3efe658.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.gNrfORqjCV.exe.5a70000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.gNrfORqjCV.exe.5a70000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.gNrfORqjCV.exe.3984c55.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.GzGmImHFmOq.exe.3f54628.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.GzGmImHFmOq.exe.3f87248.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.GzGmImHFmOq.exe.3f87248.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.gNrfORqjCV.exe.434e5d0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.gNrfORqjCV.exe.398062c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gNrfORqjCV.exe.3ecba38.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.GzGmImHFmOq.exe.3f54628.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.gNrfORqjCV.exe.431b9b0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.436230882.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.574171475.0000000005A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.440525605.0000000003939000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.425767553.00000000042E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.356107386.0000000003E97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.439566387.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.476397038.0000000003191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.463703676.0000000003F1F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gNrfORqjCV.exe PID: 5240, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GzGmImHFmOq.exe PID: 5000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gNrfORqjCV.exe PID: 5248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gNrfORqjCV.exe PID: 1324, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GzGmImHFmOq.exe PID: 5544, type: MEMORYSTR

Machine Learning detection for sample

Source: gNrfORqjCV.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Joe Sandbox ML: detected

Source: 23.2.gNrfORqjCV.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 8.2.gNrfORqjCV.exe.5a70000.4.unpack	Avira: Label: TR/NanoCore.fadte

Source: 00000017.00000002.440525605.0000000003939000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "cb7cb109-a06b-4fd7-8d0e-5290e77d", "Group": "MOFASA", "Domain1": "nonoise.duckdns.org", "Domain2": "127.0.0.1", "Port": 6060, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "", "BackupDNSServer": "84.200.70.40", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Source: gNrfORqjCV.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: gNrfORqjCV.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Code function: 4x nop then jmp 07E27B45h	0_2_07E27007
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Code function: 4x nop then jmp 07E27B45h	0_2_07E277A3
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Code function: 4x nop then jmp 078916F5h	7_2_07890BB7
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Code function: 4x nop then jmp 078916F5h	7_2_07891351

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: nonoise.duckdns.org
Source: Malware configuration extractor	URLs: 127.0.0.1

Uses dynamic DNS services

Source: unknown

DNS query: name: nonoise.duckdns.org

Source: Joe Sandbox View

ASN Name: DANILENKODE DANILENKODE

Source: Joe Sandbox View

IP Address: 194.5.98.24 194.5.98.24

Source: global traffic

TCP traffic: 192.168.2.5:49701 -> 194.5.98.24:6060

Source: unknown	UDP traffic detected without corresponding DNS query: 84.200.69.80
Source: unknown	UDP traffic detected without corresponding DNS query: 84.200.69.80
Source: unknown	UDP traffic detected without corresponding DNS query: 84.200.69.80
Source: unknown	UDP traffic detected without corresponding DNS query: 84.200.69.80
Source: unknown	UDP traffic detected without corresponding DNS query: 84.200.69.80
Source: unknown	UDP traffic detected without corresponding DNS query: 84.200.69.80
Source: unknown	UDP traffic detected without corresponding DNS query: 84.200.69.80
Source: unknown	UDP traffic detected without corresponding DNS query: 84.200.69.80
Source: unknown	UDP traffic detected without corresponding DNS query: 84.200.70.40
Source: unknown	UDP traffic detected without corresponding DNS query: 84.200.69.80
Source: unknown	UDP traffic detected without corresponding DNS query: 84.200.69.80
Source: unknown	UDP traffic detected without corresponding DNS query: 84.200.69.80
Source: unknown	UDP traffic detected without corresponding DNS query: 84.200.69.80
Source: unknown	UDP traffic detected without corresponding DNS query: 84.200.69.80
Source: unknown	UDP traffic detected without corresponding DNS query: 84.200.69.80
Source: unknown	UDP traffic detected without corresponding DNS query: 84.200.69.80
Source: unknown	UDP traffic detected without corresponding DNS query: 84.200.69.80
Source: unknown	UDP traffic detected without corresponding DNS query: 84.200.69.80
Source: unknown	UDP traffic detected without corresponding DNS query: 84.200.69.80
Source: unknown	UDP traffic detected without corresponding DNS query: 84.200.69.80

Source: gNrfORqjCV.exe, 00000000.00000003.296515775.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.296396139.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://en.w
Source: gNrfORqjCV.exe, 00000000.00000003.295899082.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.296138391.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.296240339.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.295949444.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.296360113.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.296039310.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.296275045.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.295980858.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.296109893.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.296305097.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: gNrfORqjCV.exe, 00000000.00000002.350708235.0000000002AAE000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.350708235.0000000002831000.00000004.00000800.00020000.00000000.sdmp, GzGmImHFmOq.exe, 00000007.00000002.454001802.0000000002AAF000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000008.00000002.561827065.0000000003059000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 0000000E.00000002.418053715.0000000003046000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: gNrfORqjCV.exe, 00000000.00000003.298516176.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: gNrfORqjCV.exe, 00000000.00000003.301383146.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301335862.00000000057E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: gNrfORqjCV.exe, 00000000.00000003.299600985.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299790040.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300055029.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300121923.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299908418.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: gNrfORqjCV.exe, 00000000.00000003.299416168.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299451966.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299359743.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298849689.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298912231.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299112643.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299189314.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com.T
Source: gNrfORqjCV.exe, 00000000.00000003.299416168.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299600985.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299790040.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299451966.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299359743.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299189314.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comC
Source: gNrfORqjCV.exe, 00000000.00000003.298730476.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298849689.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300055029.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300121923.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298912231.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299908418.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comTC
Source: gNrfORqjCV.exe, 00000000.00000003.299416168.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299600985.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299790040.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299451966.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300055029.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299908418.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comTCH
Source: gNrfORqjCV.exe, 00000000.00000003.299600985.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299451966.00000000057E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comTCk
Source: gNrfORqjCV.exe, 00000000.00000003.300055029.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299908418.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comTCp
Source: gNrfORqjCV.exe, 00000000.00000003.299790040.00000000057E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comde
Source: gNrfORqjCV.exe, 00000000.00000003.299112643.00000000057E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comego
Source: gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: gNrfORqjCV.exe, 00000000.00000003.299416168.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299600985.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299790040.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299451966.00000000057E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comlg
Source: gNrfORqjCV.exe, 00000000.00000003.299416168.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299600985.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299790040.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299451966.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299359743.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298849689.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300055029.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300121923.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298912231.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299112643.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299189314.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299908418.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.como.
Source: gNrfORqjCV.exe, 00000000.00000003.299416168.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299600985.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299790040.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299451966.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299359743.00000000057E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.como.p
Source: gNrfORqjCV.exe, 00000000.00000003.298730476.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298849689.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298912231.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299112643.00000000057E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coms0
Source: gNrfORqjCV.exe, 00000000.00000003.299416168.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299451966.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299359743.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299189314.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comsb
Source: gNrfORqjCV.exe, 00000000.00000003.306269906.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305929656.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305990317.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304720200.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305838770.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312305827.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305608628.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306376678.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305713164.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304937014.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303190287.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304656866.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305239978.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303341407.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304376908.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306223458.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306133463.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306459708.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304071114.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306044876.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303683488.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303960292.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312116348.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303851330.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304821209.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: gNrfORqjCV.exe, 00000000.00000003.303190287.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303341407.00000000057EB000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303190287.00000000057EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: gNrfORqjCV.exe, 00000000.00000003.304656866.00000000057F4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304586978.00000000057F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: gNrfORqjCV.exe, 00000000.00000003.305608628.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: gNrfORqjCV.exe, 00000000.00000003.304071114.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303960292.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304218382.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersF
Source: gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: gNrfORqjCV.exe, 00000000.00000003.303851330.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersR
Source: gNrfORqjCV.exe, 00000000.00000003.306044876.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersT
Source: gNrfORqjCV.exe, 00000000.00000003.304720200.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304937014.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304656866.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304821209.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersb
Source: gNrfORqjCV.exe, 00000000.00000003.303960292.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303851330.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designerse
Source: gNrfORqjCV.exe, 00000000.00000003.303341407.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersl
Source: gNrfORqjCV.exe, 00000000.00000003.312116348.00000000057E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersno
Source: gNrfORqjCV.exe, 00000000.00000003.305608628.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305713164.00000000057E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersp
Source: gNrfORqjCV.exe, 00000000.00000003.304071114.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303683488.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303960292.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303851330.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designerss
Source: gNrfORqjCV.exe, 00000000.00000003.306269906.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305929656.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305990317.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305838770.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306376678.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305713164.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306223458.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306133463.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306459708.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306044876.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306515905.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305767077.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comB.TTF
Source: gNrfORqjCV.exe, 00000000.00000003.306269906.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306376678.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306223458.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306133463.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306459708.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306044876.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comFH
Source: gNrfORqjCV.exe, 00000000.00000003.304720200.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304937014.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304656866.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305239978.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305277458.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305453770.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305332327.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305058105.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304821209.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305393745.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comFu
Source: gNrfORqjCV.exe, 00000000.00000003.303190287.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303341407.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comalicS
Source: gNrfORqjCV.exe, 00000000.00000003.306269906.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306376678.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306223458.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306133463.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306459708.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306044876.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306515905.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comalsFu
Source: gNrfORqjCV.exe, 00000000.00000003.305608628.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305713164.00000000057E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comalso
Source: gNrfORqjCV.exe, 00000000.00000003.306269906.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305990317.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306376678.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306223458.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306133463.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306459708.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306044876.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comcom
Source: gNrfORqjCV.exe, 00000000.00000003.304586978.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comcomd
Source: gNrfORqjCV.exe, 00000000.00000003.304376908.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304071114.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303960292.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304218382.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304481831.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303851330.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comd
Source: gNrfORqjCV.exe, 00000000.00000003.306269906.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305929656.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305990317.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305838770.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306376678.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305713164.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306618063.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306223458.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306133463.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306459708.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306044876.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306685172.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306515905.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305767077.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comd$
Source: gNrfORqjCV.exe, 00000000.00000003.304376908.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304071114.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303683488.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303960292.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304218382.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304481831.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303851330.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comdy
Source: gNrfORqjCV.exe, 00000000.00000003.304376908.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304071114.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303960292.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304218382.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304586978.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304481831.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303851330.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comessed
Source: gNrfORqjCV.exe, 00000000.00000003.304720200.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304656866.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304821209.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comessedQ
Source: gNrfORqjCV.exe, 00000000.00000003.312305827.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312042266.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312179725.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312571385.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312116348.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.377294989.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312473392.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comf
Source: gNrfORqjCV.exe, 00000000.00000003.312305827.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312042266.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312179725.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312571385.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312116348.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.377294989.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312473392.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comion
Source: gNrfORqjCV.exe, 00000000.00000003.305453770.00000000057E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comony
Source: gNrfORqjCV.exe, 00000000.00000003.312305827.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312179725.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312571385.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312116348.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.377294989.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312473392.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comuevo
Source: gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: gNrfORqjCV.exe, 00000000.00000003.298175941.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298516176.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298672055.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298849689.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300055029.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300121923.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298912231.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299112643.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299189314.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298027129.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298051431.00000000057E0000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299908418.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: gNrfORqjCV.exe, 00000000.00000003.297575248.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: gNrfORqjCV.exe, 00000000.00000003.298397850.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298272672.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298235609.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298328560.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298175941.00000000057DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/de
Source: gNrfORqjCV.exe, 00000000.00000003.297957541.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298027129.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cna-e
Source: gNrfORqjCV.exe, 00000000.00000003.298397850.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298272672.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298235609.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298328560.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298175941.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298051431.00000000057E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnani
Source: gNrfORqjCV.exe, 00000000.00000003.299416168.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298397850.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298730476.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299600985.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299790040.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299451966.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298272672.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298235609.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299359743.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298448695.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298328560.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298175941.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298516176.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298672055.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298849689.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298912231.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299112643.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299189314.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299908418.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnicr
Source: gNrfORqjCV.exe, 00000000.00000003.298051431.00000000057E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnno
Source: gNrfORqjCV.exe, 00000000.00000003.298397850.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298272672.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298235609.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298328560.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298175941.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298051431.00000000057E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cntra
Source: gNrfORqjCV.exe, 00000000.00000003.307562749.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: gNrfORqjCV.exe, 00000000.00000003.307562749.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/Z
Source: gNrfORqjCV.exe, 00000000.00000003.307562749.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/n
Source: gNrfORqjCV.exe, 00000000.00000003.307784164.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: gNrfORqjCV.exe, 00000000.00000003.297685163.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.297575248.00000000057E1000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.297537163.00000000057E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: gNrfORqjCV.exe, 00000000.00000003.301545636.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: gNrfORqjCV.exe, 00000000.00000003.300843664.00000000057E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/-
Source: gNrfORqjCV.exe, 00000000.00000003.300916137.00000000057DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/:
Source: gNrfORqjCV.exe, 00000000.00000003.301848813.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301275522.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301817563.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301964183.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301489951.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301383146.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300916137.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300843664.00000000057E0000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301753239.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301721274.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301610181.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.302024144.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301642038.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301335862.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301052807.00000000057E1000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.302116093.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301545636.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301786090.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/C
Source: gNrfORqjCV.exe, 00000000.00000003.300626397.00000000057DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/H
Source: gNrfORqjCV.exe, 00000000.00000003.300916137.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300843664.00000000057E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/u
Source: gNrfORqjCV.exe, 00000000.00000003.300626397.00000000057DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/g
Source: gNrfORqjCV.exe, 00000000.00000003.300916137.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300843664.00000000057E0000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301610181.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301642038.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301335862.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301052807.00000000057E1000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301545636.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: gNrfORqjCV.exe, 00000000.00000003.301848813.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301275522.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301817563.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301964183.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301489951.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301383146.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300916137.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301753239.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301721274.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301610181.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301642038.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301335862.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301052807.00000000057E1000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301545636.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301786090.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/-
Source: gNrfORqjCV.exe, 00000000.00000003.301275522.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301489951.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301383146.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301610181.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301642038.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301335862.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301052807.00000000057E1000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301545636.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/:
Source: gNrfORqjCV.exe, 00000000.00000003.300916137.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300843664.00000000057E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/H
Source: gNrfORqjCV.exe, 00000000.00000003.300916137.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300843664.00000000057E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/g
Source: gNrfORqjCV.exe, 00000000.00000003.300626397.00000000057DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/u
Source: gNrfORqjCV.exe, 00000000.00000003.300916137.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300843664.00000000057E0000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300626397.00000000057DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/kurs
Source: gNrfORqjCV.exe, 00000000.00000003.301275522.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300916137.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300843664.00000000057E0000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300626397.00000000057DC000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301335862.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301052807.00000000057E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/t
Source: gNrfORqjCV.exe, 00000000.00000003.301275522.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301335862.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301052807.00000000057E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/t-i
Source: gNrfORqjCV.exe, 00000000.00000003.301275522.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301335862.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301052807.00000000057E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/u
Source: gNrfORqjCV.exe, 00000000.00000003.301275522.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301489951.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301383146.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300916137.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300843664.00000000057E0000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301610181.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301642038.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301335862.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301052807.00000000057E1000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301545636.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/~
Source: gNrfORqjCV.exe, 00000000.00000003.294783811.00000000057C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: gNrfORqjCV.exe, 00000000.00000003.294783811.00000000057C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.come
Source: gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: gNrfORqjCV.exe, 00000000.00000003.297685163.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.297489904.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.297575248.00000000057E1000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.297537163.00000000057E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: gNrfORqjCV.exe, 00000000.00000003.297489904.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.297537163.00000000057E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.krX
Source: gNrfORqjCV.exe, 00000000.00000003.297489904.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kra-d
Source: gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: gNrfORqjCV.exe, 00000000.00000003.299416168.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298730476.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299600985.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299790040.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299451966.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299359743.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298672055.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298849689.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298912231.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299112643.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299189314.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: gNrfORqjCV.exe, 00000000.00000003.298730476.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298672055.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298849689.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298912231.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299112643.00000000057E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnde
Source: gNrfORqjCV.exe, 00000000.00000003.299416168.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298730476.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299600985.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299790040.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299451966.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299359743.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298672055.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298849689.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298912231.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299112643.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299189314.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cni
Source: gNrfORqjCV.exe, 00000000.00000003.298730476.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299359743.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298672055.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298849689.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298912231.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299112643.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299189314.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnlg
Source: gNrfORqjCV.exe, 00000000.00000003.299416168.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298730476.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299600985.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299790040.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299451966.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299359743.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298672055.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298849689.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298912231.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299112643.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299189314.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cno.

Source: unknown

DNS traffic detected: queries for: nonoise.duckdns.org

Source: gNrfORqjCV.exe, 00000017.00000002.440525605.0000000003939000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 23.2.gNrfORqjCV.exe.398062c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.gNrfORqjCV.exe.5a74629.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gNrfORqjCV.exe.3efe658.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.GzGmImHFmOq.exe.3f1fc08.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.gNrfORqjCV.exe.434e5d0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.gNrfORqjCV.exe.431b9b0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.gNrfORqjCV.exe.397b7f6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.gNrfORqjCV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gNrfORqjCV.exe.3ecba38.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gNrfORqjCV.exe.3efe658.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.gNrfORqjCV.exe.5a70000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.gNrfORqjCV.exe.5a70000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.gNrfORqjCV.exe.3984c55.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.GzGmImHFmOq.exe.3f54628.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.GzGmImHFmOq.exe.3f87248.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.GzGmImHFmOq.exe.3f87248.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.gNrfORqjCV.exe.434e5d0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.gNrfORqjCV.exe.398062c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gNrfORqjCV.exe.3ecba38.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.GzGmImHFmOq.exe.3f54628.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.gNrfORqjCV.exe.431b9b0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.436230882.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.574171475.0000000005A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.440525605.0000000003939000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.425767553.00000000042E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.356107386.0000000003E97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.439566387.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.476397038.0000000003191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.463703676.0000000003F1F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gNrfORqjCV.exe PID: 5240, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GzGmImHFmOq.exe PID: 5000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gNrfORqjCV.exe PID: 5248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gNrfORqjCV.exe PID: 1324, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GzGmImHFmOq.exe PID: 5544, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 23.2.gNrfORqjCV.exe.398062c.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 23.2.gNrfORqjCV.exe.398062c.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 23.2.gNrfORqjCV.exe.398062c.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 8.2.gNrfORqjCV.exe.5a74629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 8.2.gNrfORqjCV.exe.5a74629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 8.2.gNrfORqjCV.exe.5a74629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.gNrfORqjCV.exe.3efe658.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.gNrfORqjCV.exe.3efe658.6.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.gNrfORqjCV.exe.3efe658.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.gNrfORqjCV.exe.3efe658.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.gNrfORqjCV.exe.29cf1b4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 7.2.GzGmImHFmOq.exe.3f1fc08.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 7.2.GzGmImHFmOq.exe.3f1fc08.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.2.GzGmImHFmOq.exe.3f1fc08.14.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.GzGmImHFmOq.exe.3f1fc08.14.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 14.2.gNrfORqjCV.exe.431b9b0.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 14.2.gNrfORqjCV.exe.434e5d0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 14.2.gNrfORqjCV.exe.434e5d0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.gNrfORqjCV.exe.434e5d0.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.gNrfORqjCV.exe.434e5d0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 14.2.gNrfORqjCV.exe.431b9b0.10.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.gNrfORqjCV.exe.431b9b0.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.gNrfORqjCV.exe.431b9b0.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 28.2.GzGmImHFmOq.exe.31f9654.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 28.2.GzGmImHFmOq.exe.31f9654.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 28.2.GzGmImHFmOq.exe.31f9654.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 23.2.gNrfORqjCV.exe.397b7f6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 23.2.gNrfORqjCV.exe.397b7f6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 23.2.gNrfORqjCV.exe.397b7f6.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.2.gNrfORqjCV.exe.397b7f6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 23.2.gNrfORqjCV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 23.2.gNrfORqjCV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 23.2.gNrfORqjCV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.2.gNrfORqjCV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.gNrfORqjCV.exe.29ae42c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.gNrfORqjCV.exe.3ecba38.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.gNrfORqjCV.exe.3ecba38.7.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.gNrfORqjCV.exe.3ecba38.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.gNrfORqjCV.exe.3ecba38.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.gNrfORqjCV.exe.3efe658.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.gNrfORqjCV.exe.3efe658.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.gNrfORqjCV.exe.3efe658.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.gNrfORqjCV.exe.3efe658.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 8.2.gNrfORqjCV.exe.305f274.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 8.2.gNrfORqjCV.exe.305f274.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 8.2.gNrfORqjCV.exe.305f274.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 8.2.gNrfORqjCV.exe.5a70000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 8.2.gNrfORqjCV.exe.5a70000.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 8.2.gNrfORqjCV.exe.5a70000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 8.2.gNrfORqjCV.exe.5a70000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 8.2.gNrfORqjCV.exe.5a70000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 8.2.gNrfORqjCV.exe.5a70000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 23.2.gNrfORqjCV.exe.3984c55.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 23.2.gNrfORqjCV.exe.3984c55.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 23.2.gNrfORqjCV.exe.3984c55.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.2.GzGmImHFmOq.exe.3f54628.13.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 7.2.GzGmImHFmOq.exe.3f54628.13.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.2.GzGmImHFmOq.exe.3f54628.13.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.GzGmImHFmOq.exe.3f54628.13.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.2.GzGmImHFmOq.exe.3f87248.11.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 7.2.GzGmImHFmOq.exe.3f87248.11.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.2.GzGmImHFmOq.exe.3f87248.11.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.GzGmImHFmOq.exe.3f87248.11.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.2.GzGmImHFmOq.exe.3f87248.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 7.2.GzGmImHFmOq.exe.3f87248.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.2.GzGmImHFmOq.exe.3f87248.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.GzGmImHFmOq.exe.3f87248.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 8.2.gNrfORqjCV.exe.5810000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 8.2.gNrfORqjCV.exe.5810000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 8.2.gNrfORqjCV.exe.5810000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 14.2.gNrfORqjCV.exe.434e5d0.11.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 14.2.gNrfORqjCV.exe.434e5d0.11.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.gNrfORqjCV.exe.434e5d0.11.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.gNrfORqjCV.exe.434e5d0.11.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 23.2.gNrfORqjCV.exe.2999588.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 23.2.gNrfORqjCV.exe.2999588.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 23.2.gNrfORqjCV.exe.2999588.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 23.2.gNrfORqjCV.exe.398062c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 23.2.gNrfORqjCV.exe.398062c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 23.2.gNrfORqjCV.exe.398062c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.gNrfORqjCV.exe.3ecba38.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.gNrfORqjCV.exe.3ecba38.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.gNrfORqjCV.exe.3ecba38.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.gNrfORqjCV.exe.3ecba38.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.2.GzGmImHFmOq.exe.3f54628.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 7.2.GzGmImHFmOq.exe.3f54628.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.2.GzGmImHFmOq.exe.3f54628.13.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.GzGmImHFmOq.exe.3f54628.13.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 14.2.gNrfORqjCV.exe.431b9b0.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 14.2.gNrfORqjCV.exe.431b9b0.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.gNrfORqjCV.exe.431b9b0.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.gNrfORqjCV.exe.431b9b0.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 15.2.dhcpmon.exe.2f69510.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 15.2.dhcpmon.exe.2f664f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 15.2.dhcpmon.exe.2f67504.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 00000017.00000002.436230882.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000017.00000002.436230882.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000017.00000002.436230882.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000008.00000002.571677772.0000000005810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000008.00000002.571677772.0000000005810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000008.00000002.571677772.0000000005810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000008.00000002.574171475.0000000005A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000008.00000002.574171475.0000000005A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000008.00000002.574171475.0000000005A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000017.00000002.440525605.0000000003939000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000017.00000002.440525605.0000000003939000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000E.00000002.425767553.00000000042E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000E.00000002.425767553.00000000042E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.425767553.00000000042E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000008.00000002.561827065.0000000003059000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.356107386.0000000003E97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000000.00000002.356107386.0000000003E97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.356107386.0000000003E97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000017.00000002.439566387.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000017.00000002.439566387.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000001C.00000002.476397038.0000000003191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000002.476397038.0000000003191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000007.00000002.463703676.0000000003F1F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000007.00000002.463703676.0000000003F1F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.463703676.0000000003F1F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: gNrfORqjCV.exe PID: 5240, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: gNrfORqjCV.exe PID: 5240, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: gNrfORqjCV.exe PID: 5240, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: GzGmImHFmOq.exe PID: 5000, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: GzGmImHFmOq.exe PID: 5000, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: GzGmImHFmOq.exe PID: 5000, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: gNrfORqjCV.exe PID: 5320, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: gNrfORqjCV.exe PID: 5248, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: gNrfORqjCV.exe PID: 5248, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: gNrfORqjCV.exe PID: 5248, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: gNrfORqjCV.exe PID: 1324, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: gNrfORqjCV.exe PID: 1324, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: gNrfORqjCV.exe PID: 1324, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: GzGmImHFmOq.exe PID: 5544, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: GzGmImHFmOq.exe PID: 5544, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown

Source: gNrfORqjCV.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 23.2.gNrfORqjCV.exe.398062c.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.2.gNrfORqjCV.exe.398062c.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.2.gNrfORqjCV.exe.398062c.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 23.2.gNrfORqjCV.exe.398062c.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 8.2.gNrfORqjCV.exe.5a74629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.gNrfORqjCV.exe.5a74629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.gNrfORqjCV.exe.5a74629.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 8.2.gNrfORqjCV.exe.5a74629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.gNrfORqjCV.exe.3efe658.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.gNrfORqjCV.exe.3efe658.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.gNrfORqjCV.exe.3efe658.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.gNrfORqjCV.exe.3efe658.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.gNrfORqjCV.exe.3efe658.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.gNrfORqjCV.exe.29cf1b4.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 7.2.GzGmImHFmOq.exe.3f1fc08.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.GzGmImHFmOq.exe.3f1fc08.14.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.2.GzGmImHFmOq.exe.3f1fc08.14.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.GzGmImHFmOq.exe.3f1fc08.14.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 14.2.gNrfORqjCV.exe.431b9b0.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.gNrfORqjCV.exe.431b9b0.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.gNrfORqjCV.exe.434e5d0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.gNrfORqjCV.exe.434e5d0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.gNrfORqjCV.exe.434e5d0.11.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.gNrfORqjCV.exe.434e5d0.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.gNrfORqjCV.exe.434e5d0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 14.2.gNrfORqjCV.exe.431b9b0.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.gNrfORqjCV.exe.431b9b0.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.gNrfORqjCV.exe.431b9b0.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 28.2.GzGmImHFmOq.exe.31f9654.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 28.2.GzGmImHFmOq.exe.31f9654.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 28.2.GzGmImHFmOq.exe.31f9654.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 28.2.GzGmImHFmOq.exe.31f9654.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 23.2.gNrfORqjCV.exe.397b7f6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.2.gNrfORqjCV.exe.397b7f6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.2.gNrfORqjCV.exe.397b7f6.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 23.2.gNrfORqjCV.exe.397b7f6.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 23.2.gNrfORqjCV.exe.397b7f6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 23.2.gNrfORqjCV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.2.gNrfORqjCV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.2.gNrfORqjCV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 23.2.gNrfORqjCV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 23.2.gNrfORqjCV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.gNrfORqjCV.exe.29ae42c.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.gNrfORqjCV.exe.3ecba38.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.gNrfORqjCV.exe.3ecba38.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.gNrfORqjCV.exe.3ecba38.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.gNrfORqjCV.exe.3ecba38.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.gNrfORqjCV.exe.3ecba38.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.gNrfORqjCV.exe.3efe658.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.gNrfORqjCV.exe.3efe658.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.gNrfORqjCV.exe.3efe658.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.gNrfORqjCV.exe.3efe658.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.gNrfORqjCV.exe.3efe658.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 8.2.gNrfORqjCV.exe.305f274.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.gNrfORqjCV.exe.305f274.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.gNrfORqjCV.exe.305f274.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 8.2.gNrfORqjCV.exe.305f274.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 8.2.gNrfORqjCV.exe.5a70000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.gNrfORqjCV.exe.5a70000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.gNrfORqjCV.exe.5a70000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 8.2.gNrfORqjCV.exe.5a70000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 8.2.gNrfORqjCV.exe.5a70000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.gNrfORqjCV.exe.5a70000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.gNrfORqjCV.exe.5a70000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 8.2.gNrfORqjCV.exe.5a70000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 23.2.gNrfORqjCV.exe.3984c55.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.2.gNrfORqjCV.exe.3984c55.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.2.gNrfORqjCV.exe.3984c55.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 23.2.gNrfORqjCV.exe.3984c55.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.2.GzGmImHFmOq.exe.3f54628.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.GzGmImHFmOq.exe.3f54628.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.GzGmImHFmOq.exe.3f54628.13.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.2.GzGmImHFmOq.exe.3f54628.13.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.GzGmImHFmOq.exe.3f54628.13.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.2.GzGmImHFmOq.exe.3f87248.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.GzGmImHFmOq.exe.3f87248.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.GzGmImHFmOq.exe.3f87248.11.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.2.GzGmImHFmOq.exe.3f87248.11.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.GzGmImHFmOq.exe.3f87248.11.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.2.GzGmImHFmOq.exe.3f87248.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.GzGmImHFmOq.exe.3f87248.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.GzGmImHFmOq.exe.3f87248.11.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.2.GzGmImHFmOq.exe.3f87248.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.GzGmImHFmOq.exe.3f87248.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 8.2.gNrfORqjCV.exe.5810000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.gNrfORqjCV.exe.5810000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.gNrfORqjCV.exe.5810000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 8.2.gNrfORqjCV.exe.5810000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 14.2.gNrfORqjCV.exe.434e5d0.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.gNrfORqjCV.exe.434e5d0.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.gNrfORqjCV.exe.434e5d0.11.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.gNrfORqjCV.exe.434e5d0.11.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.gNrfORqjCV.exe.434e5d0.11.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 23.2.gNrfORqjCV.exe.2999588.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.2.gNrfORqjCV.exe.2999588.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.2.gNrfORqjCV.exe.2999588.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 23.2.gNrfORqjCV.exe.2999588.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 23.2.gNrfORqjCV.exe.398062c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.2.gNrfORqjCV.exe.398062c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.2.gNrfORqjCV.exe.398062c.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 23.2.gNrfORqjCV.exe.398062c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.gNrfORqjCV.exe.3ecba38.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.gNrfORqjCV.exe.3ecba38.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.gNrfORqjCV.exe.3ecba38.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.gNrfORqjCV.exe.3ecba38.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.2.GzGmImHFmOq.exe.3f54628.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.GzGmImHFmOq.exe.3f54628.13.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.2.GzGmImHFmOq.exe.3f54628.13.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.GzGmImHFmOq.exe.3f54628.13.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 14.2.gNrfORqjCV.exe.431b9b0.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.gNrfORqjCV.exe.431b9b0.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.gNrfORqjCV.exe.431b9b0.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.gNrfORqjCV.exe.431b9b0.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 15.2.dhcpmon.exe.2f69510.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 15.2.dhcpmon.exe.2f664f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 15.2.dhcpmon.exe.2f67504.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 00000017.00000002.436230882.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000017.00000002.436230882.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000017.00000002.436230882.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000008.00000002.571677772.0000000005810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000008.00000002.571677772.0000000005810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000008.00000002.571677772.0000000005810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000008.00000002.571677772.0000000005810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000008.00000002.574171475.0000000005A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000008.00000002.574171475.0000000005A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000008.00000002.574171475.0000000005A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000008.00000002.574171475.0000000005A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000017.00000002.440525605.0000000003939000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000017.00000002.440525605.0000000003939000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000E.00000002.425767553.00000000042E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000E.00000002.425767553.00000000042E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.425767553.00000000042E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000008.00000002.561827065.0000000003059000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.356107386.0000000003E97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.356107386.0000000003E97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.356107386.0000000003E97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000017.00000002.439566387.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000017.00000002.439566387.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000001C.00000002.476397038.0000000003191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001C.00000002.476397038.0000000003191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000007.00000002.463703676.0000000003F1F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000002.463703676.0000000003F1F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.463703676.0000000003F1F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: gNrfORqjCV.exe PID: 5240, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: gNrfORqjCV.exe PID: 5240, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: gNrfORqjCV.exe PID: 5240, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: GzGmImHFmOq.exe PID: 5000, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: GzGmImHFmOq.exe PID: 5000, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: GzGmImHFmOq.exe PID: 5000, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: gNrfORqjCV.exe PID: 5320, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: gNrfORqjCV.exe PID: 5248, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: gNrfORqjCV.exe PID: 5248, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: gNrfORqjCV.exe PID: 5248, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: gNrfORqjCV.exe PID: 1324, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: gNrfORqjCV.exe PID: 1324, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: gNrfORqjCV.exe PID: 1324, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: GzGmImHFmOq.exe PID: 5544, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: GzGmImHFmOq.exe PID: 5544, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Code function: 0_2_0265C214	0_2_0265C214
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Code function: 0_2_0265E648	0_2_0265E648
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Code function: 0_2_0265E658	0_2_0265E658
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Code function: 0_2_07E2273C	0_2_07E2273C
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Code function: 0_2_07E20040	0_2_07E20040
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Code function: 0_2_07E20007	0_2_07E20007
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Code function: 7_2_0286C214	7_2_0286C214
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Code function: 7_2_0286E648	7_2_0286E648
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Code function: 7_2_0286E658	7_2_0286E658
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Code function: 7_2_053B0006	7_2_053B0006
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Code function: 7_2_053B5041	7_2_053B5041
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Code function: 7_2_053B0040	7_2_053B0040
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Code function: 7_2_053B9B28	7_2_053B9B28
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Code function: 7_2_053B02E0	7_2_053B02E0
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Code function: 7_2_053B02D1	7_2_053B02D1
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Code function: 8_2_02EEE480	8_2_02EEE480
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Code function: 8_2_02EEE471	8_2_02EEE471
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Code function: 8_2_02EEBBD4	8_2_02EEBBD4
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Code function: 8_2_06C10040	8_2_06C10040

Source: gNrfORqjCV.exe	Binary or memory string: OriginalFilename vs gNrfORqjCV.exe
Source: gNrfORqjCV.exe, 00000000.00000002.381347692.0000000007040000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs gNrfORqjCV.exe
Source: gNrfORqjCV.exe, 00000000.00000003.318367958.0000000007201000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameoWRc.exe> vs gNrfORqjCV.exe
Source: gNrfORqjCV.exe, 00000000.00000002.356107386.0000000003B35000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs gNrfORqjCV.exe
Source: gNrfORqjCV.exe, 00000000.00000002.350708235.0000000002831000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTigra.dll. vs gNrfORqjCV.exe
Source: gNrfORqjCV.exe, 00000000.00000000.292278061.0000000000432000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameoWRc.exe> vs gNrfORqjCV.exe
Source: gNrfORqjCV.exe, 00000008.00000002.568193972.0000000004081000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs gNrfORqjCV.exe
Source: gNrfORqjCV.exe, 00000008.00000002.561827065.0000000003059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs gNrfORqjCV.exe
Source: gNrfORqjCV.exe, 0000000E.00000002.425767553.0000000004195000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs gNrfORqjCV.exe
Source: gNrfORqjCV.exe, 0000000E.00000002.418053715.0000000002DFE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTigra.dll. vs gNrfORqjCV.exe
Source: gNrfORqjCV.exe, 0000000E.00000002.425767553.0000000004203000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs gNrfORqjCV.exe
Source: gNrfORqjCV.exe, 00000017.00000002.440525605.0000000003939000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs gNrfORqjCV.exe
Source: gNrfORqjCV.exe, 00000017.00000002.440525605.0000000003939000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs gNrfORqjCV.exe
Source: gNrfORqjCV.exe, 00000017.00000002.440525605.0000000003939000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs gNrfORqjCV.exe
Source: gNrfORqjCV.exe, 00000017.00000002.439566387.0000000002931000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs gNrfORqjCV.exe
Source: gNrfORqjCV.exe, 00000017.00000002.439566387.0000000002931000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs gNrfORqjCV.exe
Source: gNrfORqjCV.exe	Binary or memory string: OriginalFilenameoWRc.exe> vs gNrfORqjCV.exe

Source: gNrfORqjCV.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: GzGmImHFmOq.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: dhcpmon.exe.8.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: gNrfORqjCV.exe	ReversingLabs: Detection: 64%
Source: gNrfORqjCV.exe	Virustotal: Detection: 58%

Source: C:\Users\user\Desktop\gNrfORqjCV.exe

File read: C:\Users\user\Desktop\gNrfORqjCV.exe

Jump to behavior

Source: gNrfORqjCV.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\gNrfORqjCV.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\gNrfORqjCV.exe C:\Users\user\Desktop\gNrfORqjCV.exe
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\gNrfORqjCV.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GzGmImHFmOq" /XML "C:\Users\user\AppData\Local\Temp\tmp78F4.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Users\user\Desktop\gNrfORqjCV.exe C:\Users\user\Desktop\gNrfORqjCV.exe
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp2556.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp27D7.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\gNrfORqjCV.exe C:\Users\user\Desktop\gNrfORqjCV.exe 0
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\gNrfORqjCV.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GzGmImHFmOq" /XML "C:\Users\user\AppData\Local\Temp\tmpEAF8.tmp
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Users\user\Desktop\gNrfORqjCV.exe C:\Users\user\Desktop\gNrfORqjCV.exe
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GzGmImHFmOq" /XML "C:\Users\user\AppData\Local\Temp\tmp389B.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process created: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\gNrfORqjCV.exe	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GzGmImHFmOq" /XML "C:\Users\user\AppData\Local\Temp\tmp78F4.tmp	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Users\user\Desktop\gNrfORqjCV.exe C:\Users\user\Desktop\gNrfORqjCV.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GzGmImHFmOq" /XML "C:\Users\user\AppData\Local\Temp\tmp389B.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process created: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp2556.tmp	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp27D7.tmp	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\gNrfORqjCV.exe
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GzGmImHFmOq" /XML "C:\Users\user\AppData\Local\Temp\tmpEAF8.tmp
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Users\user\Desktop\gNrfORqjCV.exe C:\Users\user\Desktop\gNrfORqjCV.exe

Source: C:\Users\user\Desktop\gNrfORqjCV.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\gNrfORqjCV.exe

File created: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe

Jump to behavior

Source: C:\Users\user\Desktop\gNrfORqjCV.exe

File created: C:\Users\user\AppData\Local\Temp\tmp78F4.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@37/23@20/2

Source: C:\Users\user\Desktop\gNrfORqjCV.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: gNrfORqjCV.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6036:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6108:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5684:120:WilError_01
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{cb7cb109-a06b-4fd7-8d0e-5290e77da5a5}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5260:120:WilError_01
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Mutant created: \Sessions\1\BaseNamedObjects\nPnroCzUduJadCsbkbUABOtLLtA
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5244:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1640:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4720:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5228:120:WilError_01

Source: C:\Users\user\Desktop\gNrfORqjCV.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: 23.2.gNrfORqjCV.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 23.2.gNrfORqjCV.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 23.2.gNrfORqjCV.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\gNrfORqjCV.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: gNrfORqjCV.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: gNrfORqjCV.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: gNrfORqjCV.exe, SystemManager/frmBoard.cs	.Net Code: InitializeComponent System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: GzGmImHFmOq.exe.0.dr, SystemManager/frmBoard.cs	.Net Code: InitializeComponent System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.gNrfORqjCV.exe.430000.0.unpack, SystemManager/frmBoard.cs	.Net Code: InitializeComponent System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: dhcpmon.exe.8.dr, SystemManager/frmBoard.cs	.Net Code: InitializeComponent System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 23.2.gNrfORqjCV.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 23.2.gNrfORqjCV.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Code function: 0_2_07E23603 push ebp; retf		0_2_07E23609
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Code function: 7_2_07893BCF push FFFFFF8Bh; iretd		7_2_07893BDF

Source: initial sample	Static PE information: section name: .text entropy: 7.680692465060209
Source: initial sample	Static PE information: section name: .text entropy: 7.680692465060209
Source: initial sample	Static PE information: section name: .text entropy: 7.680692465060209

Source: 23.2.gNrfORqjCV.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 23.2.gNrfORqjCV.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

Source: C:\Users\user\Desktop\gNrfORqjCV.exe	File created: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe			Jump to dropped file
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\gNrfORqjCV.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GzGmImHFmOq" /XML "C:\Users\user\AppData\Local\Temp\tmp78F4.tmp

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\gNrfORqjCV.exe

File opened: C:\Users\user\Desktop\gNrfORqjCV.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 0.2.gNrfORqjCV.exe.29cf1b4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gNrfORqjCV.exe.29ae42c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.2f69510.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.2f664f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.2f67504.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.350708235.0000000002AAE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.394849296.0000000002F5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.454001802.0000000002AAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.350708235.0000000002831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gNrfORqjCV.exe PID: 5240, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GzGmImHFmOq.exe PID: 5000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 4544, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: gNrfORqjCV.exe, 00000000.00000002.350708235.0000000002AAE000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.350708235.0000000002831000.00000004.00000800.00020000.00000000.sdmp, GzGmImHFmOq.exe, 00000007.00000002.454001802.0000000002AAF000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 0000000E.00000002.418053715.0000000003043000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 0000000F.00000002.394849296.0000000002F5E000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000016.00000002.428209955.0000000003413000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: gNrfORqjCV.exe, 00000000.00000002.350708235.0000000002AAE000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.350708235.0000000002831000.00000004.00000800.00020000.00000000.sdmp, GzGmImHFmOq.exe, 00000007.00000002.454001802.0000000002AAF000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 0000000E.00000002.418053715.0000000003043000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 0000000F.00000002.394849296.0000000002F5E000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000016.00000002.428209955.0000000003413000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\gNrfORqjCV.exe TID: 5668	Thread sleep time: -37665s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe TID: 5544	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1640	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2492	Thread sleep count: 9432 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1812	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe TID: 5008	Thread sleep time: -37665s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe TID: 4700	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe TID: 6032	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe TID: 472	Thread sleep time: -37665s >= -30000s
Source: C:\Users\user\Desktop\gNrfORqjCV.exe TID: 4136	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1712	Thread sleep time: -37665s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5020	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4276	Thread sleep count: 9255 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2552	Thread sleep time: -12912720851596678s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2816	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6016	Thread sleep time: -37665s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4760	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\gNrfORqjCV.exe TID: 5100	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe TID: 748	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9315	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9432	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Window / User API: threadDelayed 9459	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Window / User API: foregroundWindowGot 732	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9255
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8922

Source: C:\Users\user\Desktop\gNrfORqjCV.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Thread delayed: delay time: 37665	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Thread delayed: delay time: 37665	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Thread delayed: delay time: 37665
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 37665
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 37665
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Thread delayed: delay time: 922337203685477

Source: dhcpmon.exe, 00000016.00000002.428209955.0000000003413000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dhcpmon.exe, 00000016.00000002.428209955.0000000003413000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: dhcpmon.exe, 0000000F.00000002.394849296.0000000002F5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: dhcpmon.exe, 00000016.00000002.428209955.0000000003413000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\gNrfORqjCV.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Memory written: C:\Users\user\Desktop\gNrfORqjCV.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Memory written: C:\Users\user\Desktop\gNrfORqjCV.exe base: 400000 value starts with: 4D5A

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\gNrfORqjCV.exe
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\gNrfORqjCV.exe
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\gNrfORqjCV.exe	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\gNrfORqjCV.exe
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe

Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\gNrfORqjCV.exe	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GzGmImHFmOq" /XML "C:\Users\user\AppData\Local\Temp\tmp78F4.tmp	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Users\user\Desktop\gNrfORqjCV.exe C:\Users\user\Desktop\gNrfORqjCV.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GzGmImHFmOq" /XML "C:\Users\user\AppData\Local\Temp\tmp389B.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process created: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp2556.tmp	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp27D7.tmp	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\gNrfORqjCV.exe
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GzGmImHFmOq" /XML "C:\Users\user\AppData\Local\Temp\tmpEAF8.tmp
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Users\user\Desktop\gNrfORqjCV.exe C:\Users\user\Desktop\gNrfORqjCV.exe

Source: gNrfORqjCV.exe, 00000008.00000002.561827065.0000000003100000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000008.00000002.561827065.00000000033E3000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000008.00000002.575711406.000000000747E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: gNrfORqjCV.exe, 00000008.00000002.561827065.0000000003183000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerHaVph

Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Users\user\Desktop\gNrfORqjCV.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Queries volume information: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Users\user\Desktop\gNrfORqjCV.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Users\user\Desktop\gNrfORqjCV.exe VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Users\user\Desktop\gNrfORqjCV.exe VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Queries volume information: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\gNrfORqjCV.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Nanocore RAT

Source: Yara match	File source: 23.2.gNrfORqjCV.exe.398062c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.gNrfORqjCV.exe.5a74629.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gNrfORqjCV.exe.3efe658.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.GzGmImHFmOq.exe.3f1fc08.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.gNrfORqjCV.exe.434e5d0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.gNrfORqjCV.exe.431b9b0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.gNrfORqjCV.exe.397b7f6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.gNrfORqjCV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gNrfORqjCV.exe.3ecba38.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gNrfORqjCV.exe.3efe658.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.gNrfORqjCV.exe.5a70000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.gNrfORqjCV.exe.5a70000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.gNrfORqjCV.exe.3984c55.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.GzGmImHFmOq.exe.3f54628.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.GzGmImHFmOq.exe.3f87248.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.GzGmImHFmOq.exe.3f87248.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.gNrfORqjCV.exe.434e5d0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.gNrfORqjCV.exe.398062c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gNrfORqjCV.exe.3ecba38.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.GzGmImHFmOq.exe.3f54628.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.gNrfORqjCV.exe.431b9b0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.436230882.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.574171475.0000000005A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.440525605.0000000003939000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.425767553.00000000042E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.356107386.0000000003E97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.439566387.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.476397038.0000000003191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.463703676.0000000003F1F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gNrfORqjCV.exe PID: 5240, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GzGmImHFmOq.exe PID: 5000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gNrfORqjCV.exe PID: 5248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gNrfORqjCV.exe PID: 1324, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GzGmImHFmOq.exe PID: 5544, type: MEMORYSTR

Remote Access Functionality

Detected Nanocore Rat

Source: gNrfORqjCV.exe, 00000000.00000002.356107386.0000000003E97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: GzGmImHFmOq.exe, 00000007.00000002.463703676.0000000003F1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: gNrfORqjCV.exe, 00000008.00000002.561827065.0000000003059000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: gNrfORqjCV.exe, 00000008.00000002.561827065.0000000003059000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: gNrfORqjCV.exe, 0000000E.00000002.425767553.00000000042E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: gNrfORqjCV.exe, 00000017.00000002.436230882.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: gNrfORqjCV.exe, 00000017.00000002.440525605.0000000003939000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: gNrfORqjCV.exe, 00000017.00000002.440525605.0000000003939000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: gNrfORqjCV.exe, 00000017.00000002.439566387.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: gNrfORqjCV.exe, 00000017.00000002.439566387.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: GzGmImHFmOq.exe, 0000001C.00000002.476397038.0000000003191000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: GzGmImHFmOq.exe, 0000001C.00000002.476397038.0000000003191000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Source: Yara match	File source: 23.2.gNrfORqjCV.exe.398062c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.gNrfORqjCV.exe.5a74629.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gNrfORqjCV.exe.3efe658.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.GzGmImHFmOq.exe.3f1fc08.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.gNrfORqjCV.exe.434e5d0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.gNrfORqjCV.exe.431b9b0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.gNrfORqjCV.exe.397b7f6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.gNrfORqjCV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gNrfORqjCV.exe.3ecba38.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gNrfORqjCV.exe.3efe658.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.gNrfORqjCV.exe.5a70000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.gNrfORqjCV.exe.5a70000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.gNrfORqjCV.exe.3984c55.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.GzGmImHFmOq.exe.3f54628.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.GzGmImHFmOq.exe.3f87248.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.GzGmImHFmOq.exe.3f87248.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.gNrfORqjCV.exe.434e5d0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.gNrfORqjCV.exe.398062c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gNrfORqjCV.exe.3ecba38.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.GzGmImHFmOq.exe.3f54628.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.gNrfORqjCV.exe.431b9b0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.436230882.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.574171475.0000000005A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.440525605.0000000003939000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.425767553.00000000042E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.356107386.0000000003E97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.439566387.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.476397038.0000000003191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.463703676.0000000003F1F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gNrfORqjCV.exe PID: 5240, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GzGmImHFmOq.exe PID: 5000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gNrfORqjCV.exe PID: 5248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gNrfORqjCV.exe PID: 1324, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GzGmImHFmOq.exe PID: 5544, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	112 Process Injection	2 Masquerading	11 Input Capture	21 Security Software Discovery	Remote Services	11 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Remote Access Software	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	112 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	21 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Hidden Files and Directories	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	13 Software Packing	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
gNrfORqjCV.exe	64%	ReversingLabs	ByteCode-MSIL.Trojan.NanoBot
gNrfORqjCV.exe	59%	Virustotal		Browse
gNrfORqjCV.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	64%	ReversingLabs	ByteCode-MSIL.Trojan.NanoBot
C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	64%	ReversingLabs	ByteCode-MSIL.Trojan.NanoBot

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
23.2.gNrfORqjCV.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7		Download File
8.2.gNrfORqjCV.exe.5a70000.4.unpack	100%	Avira	TR/NanoCore.fadte		Download File

Domains

Source	Detection	Scanner	Label	Link
nonoise.duckdns.org	4%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.fontbureau.comessed	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/:	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/-	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.fontbureau.comalso	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.carterandcone.como.	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.fontbureau.comcomd	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/H	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/C	0%	URL Reputation	safe
http://en.w	0%	URL Reputation	safe
http://www.fontbureau.comd$	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/u	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/t	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/-	0%	URL Reputation	safe
http://www.founder.com.cn/cnicr	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/g	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/H	0%	URL Reputation	safe
http://www.founder.com.cn/cna-e	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/kurs	0%	Virustotal		Browse
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/:	0%	URL Reputation	safe
http://www.founder.com.cn/cnno	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/~	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.fontbureau.comony	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.carterandcone.comC	0%	URL Reputation	safe
http://www.fontbureau.comB.TTF	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/g	0%	URL Reputation	safe
http://www.fontbureau.comcom	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sajatypeworks.come	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.carterandcone.comTC	0%	URL Reputation	safe
http://www.fontbureau.comion	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/u	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.fontbureau.comd	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.comf	0%	URL Reputation	safe
http://www.fontbureau.comessedQ	0%	Avira URL Cloud	safe
nonoise.duckdns.org	100%	Avira URL Cloud	malware
http://www.fontbureau.comalsFu	0%	Avira URL Cloud	safe
http://www.sandoll.co.kra-d	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/kurs	0%	Avira URL Cloud	safe
http://www.sandoll.co.krX	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/Y0/u	0%	Avira URL Cloud	safe
http://www.fontbureau.comFu	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cntra	0%	Avira URL Cloud	safe
http://www.fontbureau.comalicS	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cni	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnani	0%	Avira URL Cloud	safe
http://www.fontbureau.comuevo	0%	Avira URL Cloud	safe
http://www.carterandcone.com.T	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cnlg	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/t-i	0%	Avira URL Cloud	safe
http://www.carterandcone.comTCH	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/n	0%	Avira URL Cloud	safe
http://www.carterandcone.como.p	0%	Avira URL Cloud	safe
http://www.fontbureau.comFH	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/de	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cnde	0%	Avira URL Cloud	safe
http://www.carterandcone.coms0	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/Z	0%	Avira URL Cloud	safe
127.0.0.1	0%	Avira URL Cloud	safe
http://www.carterandcone.comlg	0%	Avira URL Cloud	safe
http://www.fontbureau.comdy	0%	Avira URL Cloud	safe
http://www.carterandcone.comde	0%	Avira URL Cloud	safe
http://www.carterandcone.comego	0%	Avira URL Cloud	safe
http://www.carterandcone.comsb	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
nonoise.duckdns.org	194.5.98.24	true	true	4%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
nonoise.duckdns.org	true	Avira URL Cloud: malware	unknown
127.0.0.1	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.sandoll.co.kra-d	gNrfORqjCV.exe, 00000000.00000003.297489904.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comd$	gNrfORqjCV.exe, 00000000.00000003.306269906.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305929656.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305990317.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305838770.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306376678.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305713164.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306618063.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306223458.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306133463.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306459708.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306044876.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306685172.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306515905.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305767077.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designers	gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303960292.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312116348.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303851330.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304821209.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fontbureau.comessed	gNrfORqjCV.exe, 00000000.00000003.304376908.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304071114.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303960292.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304218382.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304586978.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304481831.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303851330.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/kurs	gNrfORqjCV.exe, 00000000.00000003.300916137.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300843664.00000000057E0000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300626397.00000000057DC000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.fontbureau.comalsFu	gNrfORqjCV.exe, 00000000.00000003.306269906.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306376678.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306223458.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306133463.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306459708.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306044876.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306515905.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	gNrfORqjCV.exe, 00000000.00000003.294783811.00000000057C2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/:	gNrfORqjCV.exe, 00000000.00000003.300916137.00000000057DE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.krX	gNrfORqjCV.exe, 00000000.00000003.297489904.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.297537163.00000000057E0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/-	gNrfORqjCV.exe, 00000000.00000003.300843664.00000000057E0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ascendercorp.com/typedesigners.html	gNrfORqjCV.exe, 00000000.00000003.301383146.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301335862.00000000057E4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comalso	gNrfORqjCV.exe, 00000000.00000003.305608628.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305713164.00000000057E2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	gNrfORqjCV.exe, 00000000.00000003.299416168.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298730476.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299600985.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299790040.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299451966.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299359743.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298672055.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298849689.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298912231.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299112643.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299189314.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	gNrfORqjCV.exe, 00000000.00000002.350708235.0000000002AAE000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.350708235.0000000002831000.00000004.00000800.00020000.00000000.sdmp, GzGmImHFmOq.exe, 00000007.00000002.454001802.0000000002AAF000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000008.00000002.561827065.0000000003059000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 0000000E.00000002.418053715.0000000003046000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.como.	gNrfORqjCV.exe, 00000000.00000003.299416168.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299600985.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299790040.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299451966.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299359743.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298849689.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300055029.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300121923.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298912231.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299112643.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299189314.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299908418.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comessedQ	gNrfORqjCV.exe, 00000000.00000003.304720200.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304656866.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304821209.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/Y0/u	gNrfORqjCV.exe, 00000000.00000003.300916137.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300843664.00000000057E0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/	gNrfORqjCV.exe, 00000000.00000003.307562749.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cntra	gNrfORqjCV.exe, 00000000.00000003.298397850.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298272672.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298235609.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298328560.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298175941.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298051431.00000000057E0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comcomd	gNrfORqjCV.exe, 00000000.00000003.304586978.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/H	gNrfORqjCV.exe, 00000000.00000003.300626397.00000000057DC000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersno	gNrfORqjCV.exe, 00000000.00000003.312116348.00000000057E2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/C	gNrfORqjCV.exe, 00000000.00000003.301848813.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301275522.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301817563.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301964183.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301489951.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301383146.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300916137.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300843664.00000000057E0000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301753239.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301721274.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301610181.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.302024144.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301642038.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301335862.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301052807.00000000057E1000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.302116093.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301545636.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301786090.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://en.w	gNrfORqjCV.exe, 00000000.00000003.296515775.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.296396139.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cni	gNrfORqjCV.exe, 00000000.00000003.299416168.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298730476.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299600985.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299790040.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299451966.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299359743.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298672055.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298849689.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298912231.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299112643.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299189314.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/	gNrfORqjCV.exe, 00000000.00000003.297575248.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comFu	gNrfORqjCV.exe, 00000000.00000003.304720200.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304937014.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304656866.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305239978.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305277458.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305453770.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305332327.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305058105.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304821209.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305393745.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	gNrfORqjCV.exe, 00000000.00000003.304656866.00000000057F4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304586978.00000000057F3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fontbureau.comalicS	gNrfORqjCV.exe, 00000000.00000003.303190287.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303341407.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/u	gNrfORqjCV.exe, 00000000.00000003.301275522.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301335862.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301052807.00000000057E1000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/t	gNrfORqjCV.exe, 00000000.00000003.301275522.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300916137.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300843664.00000000057E0000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300626397.00000000057DC000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301335862.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301052807.00000000057E1000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/-	gNrfORqjCV.exe, 00000000.00000003.301848813.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301275522.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301817563.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301964183.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301489951.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301383146.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300916137.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301753239.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301721274.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301610181.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301642038.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301335862.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301052807.00000000057E1000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301545636.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301786090.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnicr	gNrfORqjCV.exe, 00000000.00000003.299416168.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298397850.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298730476.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299600985.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299790040.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299451966.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298272672.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298235609.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299359743.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298448695.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298328560.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298175941.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298516176.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298672055.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298849689.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298912231.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299112643.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299189314.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299908418.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.com.T	gNrfORqjCV.exe, 00000000.00000003.299416168.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299451966.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299359743.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298849689.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298912231.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299112643.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299189314.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/g	gNrfORqjCV.exe, 00000000.00000003.300626397.00000000057DC000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersG	gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersF	gNrfORqjCV.exe, 00000000.00000003.304071114.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303960292.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304218382.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comuevo	gNrfORqjCV.exe, 00000000.00000003.312305827.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312179725.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312571385.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312116348.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.377294989.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312473392.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/bThe	gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	gNrfORqjCV.exe, 00000000.00000003.305608628.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/jp/H	gNrfORqjCV.exe, 00000000.00000003.300916137.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300843664.00000000057E0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnani	gNrfORqjCV.exe, 00000000.00000003.298397850.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298272672.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298235609.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298328560.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298175941.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298051431.00000000057E0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cna-e	gNrfORqjCV.exe, 00000000.00000003.297957541.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298027129.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comFH	gNrfORqjCV.exe, 00000000.00000003.306269906.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306376678.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306223458.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306133463.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306459708.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306044876.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cnde	gNrfORqjCV.exe, 00000000.00000003.298730476.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298672055.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298849689.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298912231.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299112643.00000000057E9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zhongyicts.com.cnlg	gNrfORqjCV.exe, 00000000.00000003.298730476.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299359743.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298672055.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298849689.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298912231.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299112643.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299189314.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr	gNrfORqjCV.exe, 00000000.00000003.297685163.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.297575248.00000000057E1000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.297537163.00000000057E0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.com	gNrfORqjCV.exe, 00000000.00000003.299600985.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299790040.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300055029.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300121923.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299908418.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/de	gNrfORqjCV.exe, 00000000.00000003.298397850.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298272672.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298235609.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298328560.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298175941.00000000057DE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comTCH	gNrfORqjCV.exe, 00000000.00000003.299416168.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299600985.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299790040.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299451966.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300055029.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299908418.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/:	gNrfORqjCV.exe, 00000000.00000003.301275522.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301489951.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301383146.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301610181.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301642038.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301335862.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301052807.00000000057E1000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301545636.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersT	gNrfORqjCV.exe, 00000000.00000003.306044876.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cnno	gNrfORqjCV.exe, 00000000.00000003.298051431.00000000057E0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/~	gNrfORqjCV.exe, 00000000.00000003.301275522.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301489951.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301383146.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300916137.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300843664.00000000057E0000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301610181.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301642038.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301335862.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301052807.00000000057E1000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301545636.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersR	gNrfORqjCV.exe, 00000000.00000003.303851330.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.typography.netD	gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.como.p	gNrfORqjCV.exe, 00000000.00000003.299416168.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299600985.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299790040.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299451966.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299359743.00000000057E9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comony	gNrfORqjCV.exe, 00000000.00000003.305453770.00000000057E2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	gNrfORqjCV.exe, 00000000.00000003.307784164.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	gNrfORqjCV.exe, 00000000.00000003.295899082.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.296138391.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.296240339.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.295949444.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.296360113.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.296039310.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.296275045.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.295980858.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.296109893.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.296305097.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/n	gNrfORqjCV.exe, 00000000.00000003.307562749.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/t-i	gNrfORqjCV.exe, 00000000.00000003.301275522.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301335862.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301052807.00000000057E1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersl	gNrfORqjCV.exe, 00000000.00000003.303341407.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.carterandcone.comC	gNrfORqjCV.exe, 00000000.00000003.299416168.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299600985.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299790040.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299451966.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299359743.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299189314.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comB.TTF	gNrfORqjCV.exe, 00000000.00000003.306269906.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305929656.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305990317.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305838770.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306376678.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305713164.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306223458.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306133463.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306459708.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306044876.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306515905.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305767077.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/g	gNrfORqjCV.exe, 00000000.00000003.300916137.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300843664.00000000057E0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comcom	gNrfORqjCV.exe, 00000000.00000003.306269906.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305990317.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306376678.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306223458.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306133463.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306459708.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306044876.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designerse	gNrfORqjCV.exe, 00000000.00000003.303960292.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303851330.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersb	gNrfORqjCV.exe, 00000000.00000003.304720200.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304937014.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304656866.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304821209.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fonts.com	gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	gNrfORqjCV.exe, 00000000.00000003.297685163.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.297489904.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.297575248.00000000057E1000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.297537163.00000000057E0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersp	gNrfORqjCV.exe, 00000000.00000003.305608628.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305713164.00000000057E2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.come	gNrfORqjCV.exe, 00000000.00000003.294783811.00000000057C2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coms0	gNrfORqjCV.exe, 00000000.00000003.298730476.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298849689.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298912231.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299112643.00000000057E9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designerss	gNrfORqjCV.exe, 00000000.00000003.304071114.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303683488.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303960292.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303851330.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	gNrfORqjCV.exe, 00000000.00000003.298516176.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	gNrfORqjCV.exe, 00000000.00000003.306269906.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305929656.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305990317.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304720200.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305838770.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312305827.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305608628.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306376678.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305713164.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304937014.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303190287.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304656866.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305239978.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303341407.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304376908.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306223458.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306133463.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306459708.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304071114.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306044876.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303683488.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.carterandcone.comTC	gNrfORqjCV.exe, 00000000.00000003.298730476.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298849689.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300055029.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300121923.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298912231.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299908418.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comdy	gNrfORqjCV.exe, 00000000.00000003.304376908.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304071114.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303683488.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303960292.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304218382.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304481831.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303851330.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comego	gNrfORqjCV.exe, 00000000.00000003.299112643.00000000057E9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/Z	gNrfORqjCV.exe, 00000000.00000003.307562749.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comion	gNrfORqjCV.exe, 00000000.00000003.312305827.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312042266.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312179725.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312571385.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312116348.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.377294989.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312473392.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comde	gNrfORqjCV.exe, 00000000.00000003.299790040.00000000057E9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/u	gNrfORqjCV.exe, 00000000.00000003.300626397.00000000057DC000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	gNrfORqjCV.exe, 00000000.00000003.300916137.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300843664.00000000057E0000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301610181.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301642038.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301335862.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301052807.00000000057E1000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301545636.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comd	gNrfORqjCV.exe, 00000000.00000003.304376908.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304071114.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303960292.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304218382.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304481831.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303851330.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comlg	gNrfORqjCV.exe, 00000000.00000003.299416168.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299600985.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299790040.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299451966.00000000057E9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	gNrfORqjCV.exe, 00000000.00000003.298175941.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298516176.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298672055.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298849689.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300055029.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300121923.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298912231.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299112643.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299189314.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298027129.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298051431.00000000057E0000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299908418.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comf	gNrfORqjCV.exe, 00000000.00000003.312305827.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312042266.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312179725.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312571385.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312116348.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.377294989.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312473392.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comsb	gNrfORqjCV.exe, 00000000.00000003.299416168.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299451966.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299359743.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299189314.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.5.98.24	nonoise.duckdns.org	Netherlands		208476	DANILENKODE	true

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	800437
Start date and time:	2023-02-07 13:54:09 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	gNrfORqjCV.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@37/23@20/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 0.9% (good quality ratio 0.8%) Quality average: 67.6% Quality standard deviation: 33.2%
HCA Information:	Successful, ratio: 99% Number of executed functions: 73 Number of non-executed functions: 6
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe, WmiPrvSE.exe
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:55:12	API Interceptor	731x Sleep call for process: gNrfORqjCV.exe modified
13:55:20	API Interceptor	148x Sleep call for process: powershell.exe modified
13:55:22	Task Scheduler	Run new task: GzGmImHFmOq path: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe
13:55:31	Task Scheduler	Run new task: DHCP Monitor path: "C:\Users\user\Desktop\gNrfORqjCV.exe" s>$(Arg0)
13:55:32	Task Scheduler	Run new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
13:55:35	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
13:55:40	API Interceptor	2x Sleep call for process: dhcpmon.exe modified
13:55:42	API Interceptor	1x Sleep call for process: GzGmImHFmOq.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
194.5.98.24	voestalpine sipari#U015f formu hk-CEL0929BD, pdf.exe	Get hash	malicious	Browse
	NEW ORDER 546576775643, pdf.exe	Get hash	malicious	Browse
	Yeni sipari#U015f _WJO-010222. pdf.exe	Get hash	malicious	Browse
	32INVITATION LETTER.pdf.exe	Get hash	malicious	Browse
	5Invited Partners for Emergency Meeting.pdf.exe	Get hash	malicious	Browse
	60Incentive Breakdown.pdf.exe	Get hash	malicious	Browse
	12UNPAID COMMISSION.pdf.exe	Get hash	malicious	Browse
	84master file for commission.pdf.exe	Get hash	malicious	Browse
	39DSTV ACTIVATION TEMPLATE FOR DECEMBER.pdf.exe	Get hash	malicious	Browse
	9OUTSTANDING INVOICES FOR SECURED CREDIT AS AT 5TH JAN 2019.pdf.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
nonoise.duckdns.org	SHIPMENT NOTIFICATION- EXPORTERS& IMPORTERS SCHEDULED DATE AVAILABLE..exe	Get hash	malicious	Browse	194.5.98.20

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DANILENKODE	Scan Copy.exe	Get hash	malicious	Browse	194.5.98.186
	IMAGE119.exe	Get hash	malicious	Browse	194.5.98.12
	dlwat.exe	Get hash	malicious	Browse	194.5.98.202
	FAKTURA D.exe	Get hash	malicious	Browse	194.5.98.210
	Scan Copy.exe	Get hash	malicious	Browse	194.5.98.174
	scan_2023748984785874774.exe	Get hash	malicious	Browse	194.5.98.245
	BookingDetails77#6276.exe	Get hash	malicious	Browse	194.5.98.120
	DOCUMENT839$#789.exe	Get hash	malicious	Browse	194.5.98.120
	9E9C786810231BB2222BE822FBD43E21A02AF06B96C6C.exe	Get hash	malicious	Browse	194.5.98.212
	Fully Executed Contract.js	Get hash	malicious	Browse	194.5.98.71
	PROFORMA INVOICE SCAN DOC.exe	Get hash	malicious	Browse	194.5.98.53
	SIBAIRQ-PD-PUR-926.js	Get hash	malicious	Browse	194.5.98.71
	Payload.exe.exe	Get hash	malicious	Browse	194.5.98.13
	DTQ112.js	Get hash	malicious	Browse	194.5.98.42
	Proforma Invoice 3001855006.js	Get hash	malicious	Browse	194.5.98.42
	EFT20009563_invoice.js	Get hash	malicious	Browse	194.5.98.253
	MDCT091.js	Get hash	malicious	Browse	194.5.98.109
	Inquiry for Quotation No. 20P3200023.exe	Get hash	malicious	Browse	194.5.98.212
	Shipping Doc.pdf.exe	Get hash	malicious	Browse	194.5.98.9
	Proforma DA request.js	Get hash	malicious	Browse	194.5.98.97

Process:	C:\Users\user\Desktop\gNrfORqjCV.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	941568
Entropy (8bit):	7.676646011154186
Encrypted:	false
SSDEEP:	12288:77S45nJrTmHkFrVoaqnS/pjpkH7PRNNiJTp/cuP1FRkkYy27YBp7HwcBVw:nS4PkkFr2QJ6HdaTp081L4y2Qasw
MD5:	60C8D91ADFA30A60AFA2F5437CE7D041
SHA1:	F8460389F343481D7420073AD1DA2F90DDEDC696
SHA-256:	5707C702F70CC5BF864E10AAAB48F9300E3BE0A7892D8FAA1810145F0AF93D2D
SHA-512:	38DE4CFCD5A1E75AF8E730B7F459D545108306BCFE06C2D315FB70B72DD75F550F21E0078F7AE4214D03BBBC5FDD4A3DE8500254534842E6EB8321693F5062C0
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 64%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L.c..............0..V..........>u... ........@.. ....................................@..................................t..O.................................................................................... ............... ..H............text...DU... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B................ u......H........K...B......-....................................................{......{....V.(......}......}.......0..C........u........6.,0(.....{.....{....o....,.(.....{.....{....o....+..+... ...U )UU.Z(.....{....o....X )UU.Z(.....{....o....X.0..b........r...p......%..{.......%q.........-.&.+.......o ....%..{.......%q.........-.&.+.......o ....(!...&.(.......0..V........(........}......}.......s"...}......+&...+...{.......(#......X.......-....X.......-....0...........rG.

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\gNrfORqjCV.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GzGmImHFmOq.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

Download File

Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gNrfORqjCV.exe.log

Download File

Process:	C:\Users\user\Desktop\gNrfORqjCV.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	21748
Entropy (8bit):	5.600772758637283
Encrypted:	false
SSDEEP:	384:LtCRLq0gJcKuAax0rq/3ISVxyjulrItiiJ9glSJuyzSv0ZqbAVrdJQBR3BT+inY8:0KuAaxgUxyClrSSlBBs4wXoY8
MD5:	13AAEA93CDE8136DA48D5BF09ADF3B60
SHA1:	0450C3870498BB682CE4010CE9F85A1D6DC8774C
SHA-256:	C68305D299D55E533CD4DFA704D41EF40C81EB455BE38414FC6458A777A8C0F4
SHA-512:	460B8B08B988E680BDFD0869B5EB0E862A89099BB60A146F7A3EFA55CA9BDE803028C18FCFED4A5B154955C9A7ED42BD9B8801CD6AAC230E4F072B2CFA61595C
Malicious:	false
Preview:	@...e...............................d.7...b..........@..........H...............<@.^.L."My...::..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1j2kljyl.nvz.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_amg03k4b.ntk.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fkpvekda.sks.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ilozur5r.kfw.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_llqraot0.bne.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n0npb1fb.bd2.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oj43ruk0.xkr.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p15ocwwh.bio.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\tmp2556.tmp

Download File

Process:	C:\Users\user\Desktop\gNrfORqjCV.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1301
Entropy (8bit):	5.111180834949932
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Pcxtn:cbk4oL600QydbQxIYODOLedq3Scj
MD5:	205A4E2EE65AB288C6B92DB204349ACF
SHA1:	2F645852F3AB280F7FC170545EDBC557356DE80E
SHA-256:	5FBCDCDB9CE1FDCA116227AFE38D307CEA461D64D653BD23F20BA3872EA85B72
SHA-512:	77550160EAB85A1B52DBCB26F4D6DA3C4BED08DB7E220AC320937EEABFEA3755C0EA0354D691C803CBF8100A96BB67B06C9C30829876BC5EFA7941A02E3331A5
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmp27D7.tmp

Download File

Process:	C:\Users\user\Desktop\gNrfORqjCV.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1310
Entropy (8bit):	5.109425792877704
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
MD5:	5C2F41CFC6F988C859DA7D727AC2B62A
SHA1:	68999C85FC7E37BAB9216E0099836D40D4545C1C
SHA-256:	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
SHA-512:	B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmp389B.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1602
Entropy (8bit):	5.140535559819237
Encrypted:	false
SSDEEP:	24:2di4+S2qh/a1Kby1moqUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt2xvn:cgeCaYrFdOFzOzN33ODOiDdKrsuT6v
MD5:	7249F2169DE65C5704FB934EEAF9D7BF
SHA1:	6A0CB99EB5C1D4ABB0F5A8A6993ABD92DAAC126A
SHA-256:	A8E9843BC4C116B227EF3AD89E1BE8CB9C501370421504FEB5E82C66C8879247
SHA-512:	64D47BBC462F714DE847F49C3FF66F0B9880CFBFB0EB8DE3FC8FE657FF12F9922E256225A91EED819A82B97BB5408053B7FBCB7F7889065C535C281F8B9DD82D
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Local\Temp\tmp78F4.tmp

Download File

Process:	C:\Users\user\Desktop\gNrfORqjCV.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1602
Entropy (8bit):	5.140535559819237
Encrypted:	false
SSDEEP:	24:2di4+S2qh/a1Kby1moqUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt2xvn:cgeCaYrFdOFzOzN33ODOiDdKrsuT6v
MD5:	7249F2169DE65C5704FB934EEAF9D7BF
SHA1:	6A0CB99EB5C1D4ABB0F5A8A6993ABD92DAAC126A
SHA-256:	A8E9843BC4C116B227EF3AD89E1BE8CB9C501370421504FEB5E82C66C8879247
SHA-512:	64D47BBC462F714DE847F49C3FF66F0B9880CFBFB0EB8DE3FC8FE657FF12F9922E256225A91EED819A82B97BB5408053B7FBCB7F7889065C535C281F8B9DD82D
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Local\Temp\tmpEAF8.tmp

Download File

Process:	C:\Users\user\Desktop\gNrfORqjCV.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1602
Entropy (8bit):	5.140535559819237
Encrypted:	false
SSDEEP:	24:2di4+S2qh/a1Kby1moqUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt2xvn:cgeCaYrFdOFzOzN33ODOiDdKrsuT6v
MD5:	7249F2169DE65C5704FB934EEAF9D7BF
SHA1:	6A0CB99EB5C1D4ABB0F5A8A6993ABD92DAAC126A
SHA-256:	A8E9843BC4C116B227EF3AD89E1BE8CB9C501370421504FEB5E82C66C8879247
SHA-512:	64D47BBC462F714DE847F49C3FF66F0B9880CFBFB0EB8DE3FC8FE657FF12F9922E256225A91EED819A82B97BB5408053B7FBCB7F7889065C535C281F8B9DD82D
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Download File

Process:	C:\Users\user\Desktop\gNrfORqjCV.exe
File Type:	ISO-8859 text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.75
Encrypted:	false
SSDEEP:	3:KF:KF
MD5:	84F57A2CCBF5202D84064D529BC5F7F1
SHA1:	48D0C7CADD8EF77664087CAF8474E57C77FAB1AA
SHA-256:	BC484715C0A8CFC52127533FEFB1FE211599F6FD7CAC1183A15C1449E255DBFD
SHA-512:	B4AB763748F3F445E55CCF2A85A9684BF392E5903F4F8253C4F61637099419469895DB23C92EF5C9BC0138B325D57A40F75153C638BF371D41EE79AB0DED11CA
Malicious:	true
Preview:	.pV.V..H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat

Download File

Process:	C:\Users\user\Desktop\gNrfORqjCV.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	38
Entropy (8bit):	4.405822250285692
Encrypted:	false
SSDEEP:	3:oNUWJRWCfqGi4A:oNNJACfq6A
MD5:	2C464CA33435236989E7B48201539321
SHA1:	BF6ED3B301DE5F4AE68C17E4CC826C70DE058248
SHA-256:	E8D74AB7595A22F57A930F896093E42870EFCF9CC6FF801D97F0E31073B03D28
SHA-512:	45E51DC7DCDD94F0EE2011AD5AE05A88E3D14825F0F4C46E9B8C55F19C7ECA4D096E28727D0BEA57590E9D02E030F12B001A4C4E53B382671084CA3CB51B7327
Malicious:	false
Preview:	C:\Users\user\Desktop\gNrfORqjCV.exe

C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe

Download File

Process:	C:\Users\user\Desktop\gNrfORqjCV.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	941568
Entropy (8bit):	7.676646011154186
Encrypted:	false
SSDEEP:	12288:77S45nJrTmHkFrVoaqnS/pjpkH7PRNNiJTp/cuP1FRkkYy27YBp7HwcBVw:nS4PkkFr2QJ6HdaTp081L4y2Qasw
MD5:	60C8D91ADFA30A60AFA2F5437CE7D041
SHA1:	F8460389F343481D7420073AD1DA2F90DDEDC696
SHA-256:	5707C702F70CC5BF864E10AAAB48F9300E3BE0A7892D8FAA1810145F0AF93D2D
SHA-512:	38DE4CFCD5A1E75AF8E730B7F459D545108306BCFE06C2D315FB70B72DD75F550F21E0078F7AE4214D03BBBC5FDD4A3DE8500254534842E6EB8321693F5062C0
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 64%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L.c..............0..V..........>u... ........@.. ....................................@..................................t..O.................................................................................... ............... ..H............text...DU... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B................ u......H........K...B......-....................................................{......{....V.(......}......}.......0..C........u........6.,0(.....{.....{....o....,.(.....{.....{....o....+..+... ...U )UU.Z(.....{....o....X )UU.Z(.....{....o....X.0..b........r...p......%..{.......%q.........-.&.+.......o ....%..{.......%q.........-.&.+.......o ....(!...&.(.......0..V........(........}......}.......s"...}......+&...+...{.......(#......X.......-....X.......-....0...........rG.

C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\gNrfORqjCV.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.676646011154186
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	gNrfORqjCV.exe
File size:	941568
MD5:	60c8d91adfa30a60afa2f5437ce7d041
SHA1:	f8460389f343481d7420073ad1da2f90ddedc696
SHA256:	5707c702f70cc5bf864e10aaab48f9300e3be0a7892d8faa1810145f0af93d2d
SHA512:	38de4cfcd5a1e75af8e730b7f459d545108306bcfe06c2d315fb70b72dd75f550f21e0078f7ae4214d03bbbc5fdd4a3de8500254534842e6eb8321693f5062c0
SSDEEP:	12288:77S45nJrTmHkFrVoaqnS/pjpkH7PRNNiJTp/cuP1FRkkYy27YBp7HwcBVw:nS4PkkFr2QJ6HdaTp081L4y2Qasw
TLSH:	82159D5119AB43E6ECF98D7832B8E61826A28CD2476D9D3EBC863D7A8CF370F4451711
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L.c..............0..V..........>u... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x4e753e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x63C94CB9 [Thu Jan 19 13:59:21 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe74ec	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe8000	0x3a4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xea000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xe5544	0xe5600	False	0.8197239015667575	data	7.680692465060209	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe8000	0x3a4	0x400	False	0.3837890625	data	2.942309763240296	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xea000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xe8058	0x348	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 7, 2023 13:55:35.385148048 CET	49701	6060	192.168.2.5	194.5.98.24
Feb 7, 2023 13:55:35.746256113 CET	6060	49701	194.5.98.24	192.168.2.5
Feb 7, 2023 13:55:36.263089895 CET	49701	6060	192.168.2.5	194.5.98.24
Feb 7, 2023 13:55:36.502480984 CET	6060	49701	194.5.98.24	192.168.2.5
Feb 7, 2023 13:55:37.060009956 CET	49701	6060	192.168.2.5	194.5.98.24
Feb 7, 2023 13:55:37.292237043 CET	6060	49701	194.5.98.24	192.168.2.5
Feb 7, 2023 13:55:45.062972069 CET	49702	6060	192.168.2.5	194.5.98.24
Feb 7, 2023 13:55:45.285547972 CET	6060	49702	194.5.98.24	192.168.2.5
Feb 7, 2023 13:55:45.967027903 CET	49702	6060	192.168.2.5	194.5.98.24
Feb 7, 2023 13:55:46.183325052 CET	6060	49702	194.5.98.24	192.168.2.5
Feb 7, 2023 13:55:46.764082909 CET	49702	6060	192.168.2.5	194.5.98.24
Feb 7, 2023 13:55:46.995682001 CET	6060	49702	194.5.98.24	192.168.2.5
Feb 7, 2023 13:56:08.145855904 CET	49705	6060	192.168.2.5	194.5.98.24
Feb 7, 2023 13:56:08.364366055 CET	6060	49705	194.5.98.24	192.168.2.5
Feb 7, 2023 13:56:08.953275919 CET	49705	6060	192.168.2.5	194.5.98.24
Feb 7, 2023 13:56:09.165040970 CET	6060	49705	194.5.98.24	192.168.2.5
Feb 7, 2023 13:56:09.765851021 CET	49705	6060	192.168.2.5	194.5.98.24
Feb 7, 2023 13:56:09.983294964 CET	6060	49705	194.5.98.24	192.168.2.5
Feb 7, 2023 13:56:39.798890114 CET	49712	6060	192.168.2.5	194.5.98.24
Feb 7, 2023 13:56:40.003993034 CET	6060	49712	194.5.98.24	192.168.2.5
Feb 7, 2023 13:56:40.518403053 CET	49712	6060	192.168.2.5	194.5.98.24
Feb 7, 2023 13:56:40.723225117 CET	6060	49712	194.5.98.24	192.168.2.5
Feb 7, 2023 13:56:41.228743076 CET	49712	6060	192.168.2.5	194.5.98.24
Feb 7, 2023 13:56:41.443243027 CET	6060	49712	194.5.98.24	192.168.2.5
Feb 7, 2023 13:56:54.732409954 CET	49713	6060	192.168.2.5	194.5.98.24
Feb 7, 2023 13:56:57.188936949 CET	6060	49713	194.5.98.24	192.168.2.5
Feb 7, 2023 13:56:57.863878965 CET	49713	6060	192.168.2.5	194.5.98.24
Feb 7, 2023 13:56:58.096165895 CET	6060	49713	194.5.98.24	192.168.2.5
Feb 7, 2023 13:56:58.598249912 CET	49713	6060	192.168.2.5	194.5.98.24
Feb 7, 2023 13:56:58.812616110 CET	6060	49713	194.5.98.24	192.168.2.5
Feb 7, 2023 13:57:02.917262077 CET	49715	6060	192.168.2.5	194.5.98.24
Feb 7, 2023 13:57:05.326845884 CET	6060	49715	194.5.98.24	192.168.2.5
Feb 7, 2023 13:57:05.842473984 CET	49715	6060	192.168.2.5	194.5.98.24
Feb 7, 2023 13:57:07.717140913 CET	6060	49715	194.5.98.24	192.168.2.5
Feb 7, 2023 13:57:08.230956078 CET	49715	6060	192.168.2.5	194.5.98.24
Feb 7, 2023 13:57:12.010140896 CET	6060	49715	194.5.98.24	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 7, 2023 13:55:34.256066084 CET	60649	53	192.168.2.5	84.200.69.80
Feb 7, 2023 13:55:35.317756891 CET	60649	53	192.168.2.5	84.200.69.80
Feb 7, 2023 13:55:35.370954037 CET	53	60649	84.200.69.80	192.168.2.5
Feb 7, 2023 13:55:44.998558044 CET	51441	53	192.168.2.5	84.200.69.80
Feb 7, 2023 13:55:45.034903049 CET	53	51441	84.200.69.80	192.168.2.5
Feb 7, 2023 13:55:53.838025093 CET	49724	53	192.168.2.5	84.200.69.80
Feb 7, 2023 13:55:54.828720093 CET	49724	53	192.168.2.5	84.200.69.80
Feb 7, 2023 13:55:57.980149031 CET	49724	53	192.168.2.5	84.200.69.80
Feb 7, 2023 13:55:59.984153032 CET	49724	53	192.168.2.5	84.200.69.80
Feb 7, 2023 13:56:04.031718969 CET	49724	53	192.168.2.5	84.200.69.80
Feb 7, 2023 13:56:08.101353884 CET	65323	53	192.168.2.5	84.200.70.40
Feb 7, 2023 13:56:08.142416954 CET	53	65323	84.200.70.40	192.168.2.5
Feb 7, 2023 13:56:31.261082888 CET	55039	53	192.168.2.5	84.200.69.80
Feb 7, 2023 13:56:32.283844948 CET	55039	53	192.168.2.5	84.200.69.80
Feb 7, 2023 13:56:33.328063011 CET	55039	53	192.168.2.5	84.200.69.80
Feb 7, 2023 13:56:35.691873074 CET	55039	53	192.168.2.5	84.200.69.80
Feb 7, 2023 13:56:39.746449947 CET	55039	53	192.168.2.5	84.200.69.80
Feb 7, 2023 13:56:39.797384977 CET	53	55039	84.200.69.80	192.168.2.5
Feb 7, 2023 13:56:45.474669933 CET	60975	53	192.168.2.5	84.200.69.80
Feb 7, 2023 13:56:46.489002943 CET	60975	53	192.168.2.5	84.200.69.80
Feb 7, 2023 13:56:47.535037041 CET	60975	53	192.168.2.5	84.200.69.80
Feb 7, 2023 13:56:49.536046982 CET	60975	53	192.168.2.5	84.200.69.80
Feb 7, 2023 13:56:53.621021986 CET	60975	53	192.168.2.5	84.200.69.80
Feb 7, 2023 13:56:53.668188095 CET	53	60975	84.200.69.80	192.168.2.5
Feb 7, 2023 13:57:02.882363081 CET	55068	53	192.168.2.5	84.200.69.80
Feb 7, 2023 13:57:02.916222095 CET	53	55068	84.200.69.80	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 7, 2023 13:55:34.256066084 CET	192.168.2.5	84.200.69.80	0x9980	Standard query (0)	nonoise.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:55:35.317756891 CET	192.168.2.5	84.200.69.80	0x9980	Standard query (0)	nonoise.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:55:44.998558044 CET	192.168.2.5	84.200.69.80	0x64c6	Standard query (0)	nonoise.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:55:53.838025093 CET	192.168.2.5	84.200.69.80	0x4229	Standard query (0)	nonoise.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:55:54.828720093 CET	192.168.2.5	84.200.69.80	0x4229	Standard query (0)	nonoise.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:55:57.980149031 CET	192.168.2.5	84.200.69.80	0x4229	Standard query (0)	nonoise.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:55:59.984153032 CET	192.168.2.5	84.200.69.80	0x4229	Standard query (0)	nonoise.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:56:04.031718969 CET	192.168.2.5	84.200.69.80	0x4229	Standard query (0)	nonoise.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:56:08.101353884 CET	192.168.2.5	84.200.70.40	0x8c8	Standard query (0)	nonoise.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:56:31.261082888 CET	192.168.2.5	84.200.69.80	0x790f	Standard query (0)	nonoise.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:56:32.283844948 CET	192.168.2.5	84.200.69.80	0x790f	Standard query (0)	nonoise.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:56:33.328063011 CET	192.168.2.5	84.200.69.80	0x790f	Standard query (0)	nonoise.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:56:35.691873074 CET	192.168.2.5	84.200.69.80	0x790f	Standard query (0)	nonoise.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:56:39.746449947 CET	192.168.2.5	84.200.69.80	0x790f	Standard query (0)	nonoise.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:56:45.474669933 CET	192.168.2.5	84.200.69.80	0x7de9	Standard query (0)	nonoise.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:56:46.489002943 CET	192.168.2.5	84.200.69.80	0x7de9	Standard query (0)	nonoise.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:56:47.535037041 CET	192.168.2.5	84.200.69.80	0x7de9	Standard query (0)	nonoise.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:56:49.536046982 CET	192.168.2.5	84.200.69.80	0x7de9	Standard query (0)	nonoise.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:56:53.621021986 CET	192.168.2.5	84.200.69.80	0x7de9	Standard query (0)	nonoise.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:57:02.882363081 CET	192.168.2.5	84.200.69.80	0x8867	Standard query (0)	nonoise.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Feb 7, 2023 13:55:35.370954037 CET	84.200.69.80	192.168.2.5	0x9980	No error (0)	nonoise.duckdns.org	194.5.98.24	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:55:45.034903049 CET	84.200.69.80	192.168.2.5	0x64c6	No error (0)	nonoise.duckdns.org	194.5.98.24	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:56:08.142416954 CET	84.200.70.40	192.168.2.5	0x8c8	No error (0)	nonoise.duckdns.org	194.5.98.24	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:56:39.797384977 CET	84.200.69.80	192.168.2.5	0x790f	No error (0)	nonoise.duckdns.org	194.5.98.24	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:56:53.668188095 CET	84.200.69.80	192.168.2.5	0x7de9	No error (0)	nonoise.duckdns.org	194.5.98.24	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:57:02.916222095 CET	84.200.69.80	192.168.2.5	0x8867	No error (0)	nonoise.duckdns.org	194.5.98.24	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	13:55:01
Start date:	07/02/2023
Path:	C:\Users\user\Desktop\gNrfORqjCV.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\gNrfORqjCV.exe
Imagebase:	0x430000
File size:	941568 bytes
MD5 hash:	60C8D91ADFA30A60AFA2F5437CE7D041
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.350708235.0000000002AAE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.356107386.0000000003E97000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.356107386.0000000003E97000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.356107386.0000000003E97000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.356107386.0000000003E97000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.350708235.0000000002831000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	13:55:13
Start date:	07/02/2023
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\gNrfORqjCV.exe
Imagebase:	0xf00000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Target ID:	2
Start time:	13:55:13
Start date:	07/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	3
Start time:	13:55:14
Start date:	07/02/2023
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe
Imagebase:	0xf00000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Target ID:	4
Start time:	13:55:14
Start date:	07/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	5
Start time:	13:55:14
Start date:	07/02/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GzGmImHFmOq" /XML "C:\Users\user\AppData\Local\Temp\tmp78F4.tmp
Imagebase:	0xcc0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	6
Start time:	13:55:14
Start date:	07/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	7
Start time:	13:55:22
Start date:	07/02/2023
Path:	C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe
Imagebase:	0x530000
File size:	941568 bytes
MD5 hash:	60C8D91ADFA30A60AFA2F5437CE7D041
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.463703676.0000000003F1F000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.463703676.0000000003F1F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000002.463703676.0000000003F1F000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000007.00000002.463703676.0000000003F1F000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000007.00000002.454001802.0000000002AAF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 64%, ReversingLabs
Reputation:	low

Show Windows behavior

Target ID:	8
Start time:	13:55:25
Start date:	07/02/2023
Path:	C:\Users\user\Desktop\gNrfORqjCV.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\gNrfORqjCV.exe
Imagebase:	0xbb0000
File size:	941568 bytes
MD5 hash:	60C8D91ADFA30A60AFA2F5437CE7D041
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.571677772.0000000005810000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.571677772.0000000005810000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000008.00000002.571677772.0000000005810000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000008.00000002.571677772.0000000005810000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.574171475.0000000005A70000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.574171475.0000000005A70000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.574171475.0000000005A70000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000008.00000002.574171475.0000000005A70000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000008.00000002.574171475.0000000005A70000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000008.00000002.561827065.0000000003059000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Target ID:	10
Start time:	13:55:30
Start date:	07/02/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp2556.tmp
Imagebase:	0xcc0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	11
Start time:	13:55:30
Start date:	07/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	12
Start time:	13:55:31
Start date:	07/02/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp27D7.tmp
Imagebase:	0xcc0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	13
Start time:	13:55:31
Start date:	07/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	14
Start time:	13:55:32
Start date:	07/02/2023
Path:	C:\Users\user\Desktop\gNrfORqjCV.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\gNrfORqjCV.exe 0
Imagebase:	0x820000
File size:	941568 bytes
MD5 hash:	60C8D91ADFA30A60AFA2F5437CE7D041
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.425767553.00000000042E7000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.425767553.00000000042E7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.425767553.00000000042E7000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000E.00000002.425767553.00000000042E7000.00000004.00000800.00020000.00000000.sdmp, Author: unknown

Show Windows behavior

Target ID:	15
Start time:	13:55:32
Start date:	07/02/2023
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Imagebase:	0x740000
File size:	941568 bytes
MD5 hash:	60C8D91ADFA30A60AFA2F5437CE7D041
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000F.00000002.394849296.0000000002F5E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 64%, ReversingLabs

Show Windows behavior

Target ID:	16
Start time:	13:55:43
Start date:	07/02/2023
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\gNrfORqjCV.exe
Imagebase:	0xf00000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Show Windows behavior

Target ID:	17
Start time:	13:55:43
Start date:	07/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	18
Start time:	13:55:43
Start date:	07/02/2023
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe
Imagebase:	0xf00000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Show Windows behavior

Target ID:	19
Start time:	13:55:43
Start date:	07/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	20
Start time:	13:55:43
Start date:	07/02/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GzGmImHFmOq" /XML "C:\Users\user\AppData\Local\Temp\tmpEAF8.tmp
Imagebase:	0xcc0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	21
Start time:	13:55:43
Start date:	07/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	22
Start time:	13:55:44
Start date:	07/02/2023
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Imagebase:	0xc10000
File size:	941568 bytes
MD5 hash:	60C8D91ADFA30A60AFA2F5437CE7D041
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET

Show Windows behavior

Target ID:	23
Start time:	13:55:50
Start date:	07/02/2023
Path:	C:\Users\user\Desktop\gNrfORqjCV.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\gNrfORqjCV.exe
Imagebase:	0x4e0000
File size:	941568 bytes
MD5 hash:	60C8D91ADFA30A60AFA2F5437CE7D041
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000002.436230882.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.436230882.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000017.00000002.436230882.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000017.00000002.436230882.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.440525605.0000000003939000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000017.00000002.440525605.0000000003939000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000017.00000002.440525605.0000000003939000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.439566387.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000017.00000002.439566387.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000017.00000002.439566387.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Author: unknown

Show Windows behavior

Target ID:	26
Start time:	13:56:04
Start date:	07/02/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GzGmImHFmOq" /XML "C:\Users\user\AppData\Local\Temp\tmp389B.tmp
Imagebase:	0xcc0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	27
Start time:	13:56:04
Start date:	07/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	28
Start time:	13:56:07
Start date:	07/02/2023
Path:	C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe
Imagebase:	0xc50000
File size:	941568 bytes
MD5 hash:	60C8D91ADFA30A60AFA2F5437CE7D041
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001C.00000002.476397038.0000000003191000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001C.00000002.476397038.0000000003191000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000001C.00000002.476397038.0000000003191000.00000004.00000800.00020000.00000000.sdmp, Author: unknown

Show Windows behavior

Execution Graph

Execution Coverage:	12.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	123
Total number of Limit Nodes:	8

Executed Functions

Function 07E27007 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.391152313.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e20000_gNrfORqjCV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e34c4526d5cf431054a6db0ae0354d6cc130587fb4669b93445a262f18f26ae
Instruction ID: 0011ea030823e48634a17e63e435ef475de4c02c87f18184923fe9418bee5108
Opcode Fuzzy Hash: 9e34c4526d5cf431054a6db0ae0354d6cc130587fb4669b93445a262f18f26ae
Instruction Fuzzy Hash: 23E046B991A124CFCB109FA5E8044F8F7BCEB8F352F00B0A2C60DA7211DB305A469A00

Uniqueness

Uniqueness Score: -1.00%

Function 07E277A3 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.391152313.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e20000_gNrfORqjCV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0229a16e30643c645c324c9a31210657babaeae245735e8d74a2a8d8d17ca532
Instruction ID: d3f391394a6d769d026054e49774e9823b5e59c0aa00d305ef3fe2529beb0424
Opcode Fuzzy Hash: 0229a16e30643c645c324c9a31210657babaeae245735e8d74a2a8d8d17ca532
Instruction Fuzzy Hash: 5CC09BA7E9F034D6C5400C9968110F5E77D85CB0B2D017072C31DA3401C920425B2154

Uniqueness

Uniqueness Score: -1.00%

Function 0265FC80 Relevance: 1.8, APIs: 1, Instructions: 263
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.350206965.0000000002650000.00000040.00000800.00020000.00000000.sdmp, Offset: 02650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2650000_gNrfORqjCV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af51ba89bbf79a86735d5a1e8a85eda1b422cae36628b0941b99e4d20eba271a
Instruction ID: 6c55d153781e9f811fb48b7aaa9158a86456b8665b256ad55b852e294d7589d3
Opcode Fuzzy Hash: af51ba89bbf79a86735d5a1e8a85eda1b422cae36628b0941b99e4d20eba271a
Instruction Fuzzy Hash: F19162B1C093889FDB12CFA4C8909DDBFB1EF4B300F5A819AE454AB6A2D7344946CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02659770 Relevance: 1.7, APIs: 1, Instructions: 190
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 026599B6

Memory Dump Source

Source File: 00000000.00000002.350206965.0000000002650000.00000040.00000800.00020000.00000000.sdmp, Offset: 02650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2650000_gNrfORqjCV.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 922af7a46c32cc885f94e04436bf38ff440539faa7351735018434a137682ed3
Instruction ID: 7229d2b164dbf1456b14bb1db614eded7fd8a6da74a6bf7a6bb0b6575967d911
Opcode Fuzzy Hash: 922af7a46c32cc885f94e04436bf38ff440539faa7351735018434a137682ed3
Instruction Fuzzy Hash: 8D7122B0A01B158FDB24CF6AD05079ABBF1BF88304F00892ED88AD7B50D738E845CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0265DD28 Relevance: 1.6, APIs: 1, Instructions: 133
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0265FEEA

Memory Dump Source

Source File: 00000000.00000002.350206965.0000000002650000.00000040.00000800.00020000.00000000.sdmp, Offset: 02650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2650000_gNrfORqjCV.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: cd64f8480ef8f7ead51cd7076972e940f8b084843d1377fefb5919e5227de547
Instruction ID: 774457114cb4956022f936b626206746c359791f267c6f38eaa87c74fceb24e5
Opcode Fuzzy Hash: cd64f8480ef8f7ead51cd7076972e940f8b084843d1377fefb5919e5227de547
Instruction Fuzzy Hash: F05113B1C00359EFDB15CFA9C880ADEBFB5BF49310F24812AE819AB251D7749846CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0265FDCC Relevance: 1.6, APIs: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0265FEEA

Memory Dump Source

Source File: 00000000.00000002.350206965.0000000002650000.00000040.00000800.00020000.00000000.sdmp, Offset: 02650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2650000_gNrfORqjCV.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: d53ad3496573f23d18b0d1bff80e9b60c0cf9f0a82b14ecd4f935c8be25b8998
Instruction ID: 1974aa936158075083cd797ab0d7525b760fffb9add5ac0097524324ec903da3
Opcode Fuzzy Hash: d53ad3496573f23d18b0d1bff80e9b60c0cf9f0a82b14ecd4f935c8be25b8998
Instruction Fuzzy Hash: 4F51D0B1D00319AFDB14CFA9C884ADEFBB5BF49710F64812AE819AB610D7749945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0265DD44 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0265FEEA

Memory Dump Source

Source File: 00000000.00000002.350206965.0000000002650000.00000040.00000800.00020000.00000000.sdmp, Offset: 02650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2650000_gNrfORqjCV.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 97a224f2020d5fb888b02db0b5378c049907f46ff6f4d50db5b40cd6fa109087
Instruction ID: a1ed322d4d99e1f96d055249d21d9ff371eac1ea81671b7a3f0bdcab13ac3104
Opcode Fuzzy Hash: 97a224f2020d5fb888b02db0b5378c049907f46ff6f4d50db5b40cd6fa109087
Instruction Fuzzy Hash: 4C51DEB1D00319EFDB14CF9AC884ADEFBB5BF49710F24812AE819AB610D7749885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02653DE4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02655421

Memory Dump Source

Source File: 00000000.00000002.350206965.0000000002650000.00000040.00000800.00020000.00000000.sdmp, Offset: 02650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2650000_gNrfORqjCV.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4c934a90b7652b3bcbf14b97fd060170d5edeaf1bd2d7aa136b09d03f1b1df76
Instruction ID: 20f43b6d0a50f4e7b9ecd1c6116d329734f942e9ddf6c7f6a7a24088501589bd
Opcode Fuzzy Hash: 4c934a90b7652b3bcbf14b97fd060170d5edeaf1bd2d7aa136b09d03f1b1df76
Instruction Fuzzy Hash: 3141D271C0022CCFDB24DFA9C94879EBBB5BF48304F508069D809BB251D7B56945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0265536F Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02655421

Memory Dump Source

Source File: 00000000.00000002.350206965.0000000002650000.00000040.00000800.00020000.00000000.sdmp, Offset: 02650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2650000_gNrfORqjCV.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: bad6a7c21071641adfd22c4ea6336acabff3016e270077e843ccac9af47739ff
Instruction ID: 3ceef431aace83337ca3b2e8df87da2c9b027b67ec1a512c081b87ddd4ebe1e3
Opcode Fuzzy Hash: bad6a7c21071641adfd22c4ea6336acabff3016e270077e843ccac9af47739ff
Instruction Fuzzy Hash: BF41B071C0022CCFDB24DFA9C98879EBBB5BF48704F608069D809BB250D7B56946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02659BD2 Relevance: 1.6, APIs: 1, Instructions: 81
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02659A31,00000800,00000000,00000000), ref: 02659C42

Memory Dump Source

Source File: 00000000.00000002.350206965.0000000002650000.00000040.00000800.00020000.00000000.sdmp, Offset: 02650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2650000_gNrfORqjCV.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a6f77be6481a622acef179ad6adc5c07d6e301d754860604b280a38191e4eae0
Instruction ID: 7a2199c80f897af9a9ebce1c1ada91f05b6cc2ca99159cc282b9dc3fcfb375da
Opcode Fuzzy Hash: a6f77be6481a622acef179ad6adc5c07d6e301d754860604b280a38191e4eae0
Instruction Fuzzy Hash: 2E3147B6D05258DFDB10CF9AD844ADEFBF4AF48720F14846AD859A7600C335654ACFA1

Uniqueness

Uniqueness Score: -1.00%

Function 026593A0 Relevance: 1.6, APIs: 1, Instructions: 75
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02659A31,00000800,00000000,00000000), ref: 02659C42

Memory Dump Source

Source File: 00000000.00000002.350206965.0000000002650000.00000040.00000800.00020000.00000000.sdmp, Offset: 02650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2650000_gNrfORqjCV.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6367cfd8ef236b237ffc8ed1558ff3bf52ef040f62e7a01a0cbfd08e4e0ae8b3
Instruction ID: 14ce2439f81713eef4df29ef6cdb74bf927601c3ef999defddd30ecca58084ee
Opcode Fuzzy Hash: 6367cfd8ef236b237ffc8ed1558ff3bf52ef040f62e7a01a0cbfd08e4e0ae8b3
Instruction Fuzzy Hash: DF217AB2C05358CFDB11CFA9C884ADEBBF0EF55710F14846AD455A7251C334A946CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02659710 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0265B95E,?,?,?,?,?), ref: 0265BA1F

Memory Dump Source

Source File: 00000000.00000002.350206965.0000000002650000.00000040.00000800.00020000.00000000.sdmp, Offset: 02650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2650000_gNrfORqjCV.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a541171062e511d3bf0ac8aa0cff6aed438b97166d5e7bfeb2fcc0f0a9098eab
Instruction ID: e3e42c8ee328d17ab9a799f28f81cedc1b2d1886de20ca50899f0812195090f4
Opcode Fuzzy Hash: a541171062e511d3bf0ac8aa0cff6aed438b97166d5e7bfeb2fcc0f0a9098eab
Instruction Fuzzy Hash: 592114B5900208AFDB10CF9AD984AEEFBF4EB48324F14805AE814B7310D378A940CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0265B990 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0265B95E,?,?,?,?,?), ref: 0265BA1F

Memory Dump Source

Source File: 00000000.00000002.350206965.0000000002650000.00000040.00000800.00020000.00000000.sdmp, Offset: 02650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2650000_gNrfORqjCV.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 88216f10b782fb02ce7833b6ed34c83ca6ad2251d4f9f377e8915b3b06937c1b
Instruction ID: fe6cae62df6e25774c722ec63865e9db11f79ff76f29f0cd2d2548d45c7a279b
Opcode Fuzzy Hash: 88216f10b782fb02ce7833b6ed34c83ca6ad2251d4f9f377e8915b3b06937c1b
Instruction Fuzzy Hash: 342114B5D002099FCB00CFA9D584AEEFBF5FB08310F14806AE814A3310C378A940CF64

Uniqueness

Uniqueness Score: -1.00%

Function 02659388 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02659A31,00000800,00000000,00000000), ref: 02659C42

Memory Dump Source

Source File: 00000000.00000002.350206965.0000000002650000.00000040.00000800.00020000.00000000.sdmp, Offset: 02650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2650000_gNrfORqjCV.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 97e1a3b7b119251570fc0f82f83db991a9d5ef007cd33ed465fb99db394fdcde
Instruction ID: 0de6c26b6174993918b0ced51247f34eb9b53ac46059263fd1d2ec702a5380bf
Opcode Fuzzy Hash: 97e1a3b7b119251570fc0f82f83db991a9d5ef007cd33ed465fb99db394fdcde
Instruction Fuzzy Hash: B21103B2900259DFDB10CF9AD544ADEFBF4AB88714F14846AD819A7700C378A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02659950 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 026599B6

Memory Dump Source

Source File: 00000000.00000002.350206965.0000000002650000.00000040.00000800.00020000.00000000.sdmp, Offset: 02650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2650000_gNrfORqjCV.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 30a6677b16bc10cd73b7f9d348e4d84257c2fa857a38148d9923911077ddf3aa
Instruction ID: a4d32d0fea0ec758ace388a9178c802ec02bc7e94de2834ba22f962aa3f7cdeb
Opcode Fuzzy Hash: 30a6677b16bc10cd73b7f9d348e4d84257c2fa857a38148d9923911077ddf3aa
Instruction Fuzzy Hash: 5011EDB6D002598FCB10CF9AC944ADEFBF4AF88724F14846AD869B7700D378A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07E282C8 Relevance: 1.5, APIs: 1, Instructions: 44
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 07E28325

Memory Dump Source

Source File: 00000000.00000002.391152313.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e20000_gNrfORqjCV.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6bd261fd45c112b2fa61e9bb42ccfbac0dea7f5a83e52231d5d17097c4014482
Instruction ID: 42b8eeb264937e2c1a82de183d1527a207bf5fa68536496c80d5f5ff30852b60
Opcode Fuzzy Hash: 6bd261fd45c112b2fa61e9bb42ccfbac0dea7f5a83e52231d5d17097c4014482
Instruction Fuzzy Hash: 8A11E5B58003599FDB10CF9AD584BDEFBF8FB48724F148459D455A7600C374A984CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00CCD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349333459.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ccd000_gNrfORqjCV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d42eaab5de55818991fc3bef1f1f775f1f5af386f494b0a6b6536902e42f6bc
Instruction ID: 4ddf2f6302b33f7ebeb886d08aed2d2d7c08d8dad8093bf9603816569340677d
Opcode Fuzzy Hash: 0d42eaab5de55818991fc3bef1f1f775f1f5af386f494b0a6b6536902e42f6bc
Instruction Fuzzy Hash: 742125B2504240DFDB05DF14D9C0F26BF65FB88328F24867DE8460B246C336D946DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CDD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349494232.0000000000CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cdd000_gNrfORqjCV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80853967a5490a32dd5cc3a7ac5c3c86cb5c5c9e2e717215191715b1031ec4d9
Instruction ID: 9491f9d33099ff76d2cfc4daf69062b3fcfb3f7bdc276f80e3d3f260b9309d67
Opcode Fuzzy Hash: 80853967a5490a32dd5cc3a7ac5c3c86cb5c5c9e2e717215191715b1031ec4d9
Instruction Fuzzy Hash: 6021F575904240DFDB15DF14D9C0B16BBA5FBC4314F24C96AD94A4B346C336E847DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00CDD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349494232.0000000000CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cdd000_gNrfORqjCV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45e4c68e24953a3b08c349e963af661eba318b9dae10d2f24cd51d1f7e02114
Instruction ID: fbc4128ba0dd666410537f5686c43acf3c9a2c19b7ecc1b9a7c089ff76b1817f
Opcode Fuzzy Hash: d45e4c68e24953a3b08c349e963af661eba318b9dae10d2f24cd51d1f7e02114
Instruction Fuzzy Hash: F0210471904240EFDB05DF14D9C0B26BBA5FB84324F24CAAEEA4A4B346C336DC46DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00CDD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349494232.0000000000CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cdd000_gNrfORqjCV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27113ac13002c316a22bfec51dc14f427746ddcb65b9abe09e7ba31c5a034b2f
Instruction ID: 83bb366faa0874acd6e768625507802b383792beea4627df2dcb505a4d972965
Opcode Fuzzy Hash: 27113ac13002c316a22bfec51dc14f427746ddcb65b9abe09e7ba31c5a034b2f
Instruction Fuzzy Hash: D9217F755093808FCB12CF24D990715BF71AB86314F29C5EBD8498B697C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CCD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349333459.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ccd000_gNrfORqjCV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3d282c62180620417641dd9b9a0e49e7b7255b4f86f8dc055538552fd58bc37
Instruction ID: e54f360d999098b61b6f9ccc190e6533af17547c25034192a9c9a0ad84f89ec8
Opcode Fuzzy Hash: b3d282c62180620417641dd9b9a0e49e7b7255b4f86f8dc055538552fd58bc37
Instruction Fuzzy Hash: AF11B1B6504280CFCB16CF14D9C4B16BF71FB84324F24C6ADD8450B656C336D956CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CDD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349494232.0000000000CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cdd000_gNrfORqjCV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f825cc49a36603e58b05d30dbcded4ff69a659c0c942629433790640a090c2f4
Instruction ID: 55ab4bd760234a58e1b5f9426bc8fc256dc409ac8502819fe1ec7b47db340d16
Opcode Fuzzy Hash: f825cc49a36603e58b05d30dbcded4ff69a659c0c942629433790640a090c2f4
Instruction Fuzzy Hash: CD11A975904280DFCB02CF10C5C0B15FBA1FB84324F28C6AAD94A4B756C33AD84ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 00CCD745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349333459.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ccd000_gNrfORqjCV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a85e0d090015f8473ffd4fb84ee21f63d12e8fe68873ad1e1dc7d0bb627bdfb3
Instruction ID: 60af665b8fbf1fc46fd64257f9560c06e62157b39e28d175efe027bdfcedd17d
Opcode Fuzzy Hash: a85e0d090015f8473ffd4fb84ee21f63d12e8fe68873ad1e1dc7d0bb627bdfb3
Instruction Fuzzy Hash: BA01F731508380AAE7104F16CC84F66BF98EF41734F18856EED1A5F64AC3789841D7B1

Uniqueness

Uniqueness Score: -1.00%

Function 00CCD744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349333459.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ccd000_gNrfORqjCV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfdb038b4dddf73211e2439c28d921e1b9f840fd6924de51c5495d061a762e9b
Instruction ID: 5ce28b9b2e767a17017f18e382a647dc070f3bcaed553a6b55e3ea8c4107d832
Opcode Fuzzy Hash: cfdb038b4dddf73211e2439c28d921e1b9f840fd6924de51c5495d061a762e9b
Instruction Fuzzy Hash: 33F04F72504284AAE7118E16CC88B62FB98EB91734F18C56EED195B686C2799844CBB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 07E2273C Relevance: 2.6, Strings: 2, Instructions: 116COMMON

Download Yara Rule

Strings

a, xrefs: 07E228EF
UUUU, xrefs: 07E22801

Memory Dump Source

Source File: 00000000.00000002.391152313.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e20000_gNrfORqjCV.jbxd

Similarity

API ID:
String ID: UUUU$a
API String ID: 0-1082907647
Opcode ID: 216ee0f595bb7b6a00d147c96255984078fbc6c236290815f3434498f456bb33
Instruction ID: 7527cdbb96ee6c13c6f650378cfa9b41fd9483f3fc4d41202e1381b9ff72a2c2
Opcode Fuzzy Hash: 216ee0f595bb7b6a00d147c96255984078fbc6c236290815f3434498f456bb33
Instruction Fuzzy Hash: 4E516F70E11628CFEB64CFA8C981B8DBBF1BF88314F1486A9D158E7205D7749A96CF14

Uniqueness

Uniqueness Score: -1.00%

Function 0265E658 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.350206965.0000000002650000.00000040.00000800.00020000.00000000.sdmp, Offset: 02650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2650000_gNrfORqjCV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49f8a2f01736dced9db3744301a89a506efc169681136b0db93e4bbea2ba3e4f
Instruction ID: 74c4f33fc7e71ed34f373bd753c1980f57dee405f70677f1cd2c80763cae361a
Opcode Fuzzy Hash: 49f8a2f01736dced9db3744301a89a506efc169681136b0db93e4bbea2ba3e4f
Instruction Fuzzy Hash: E812D8FA512746FAE312CF65E89C3A93B61F745328B504228D2611BAD4DFBC1D4ACF48

Uniqueness

Uniqueness Score: -1.00%

Function 0265C214 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.350206965.0000000002650000.00000040.00000800.00020000.00000000.sdmp, Offset: 02650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2650000_gNrfORqjCV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8982a892bcb2140d984bd38d72c865f4b2f8fd6095c0d5287b27a86b1d893af
Instruction ID: acbd663faa2c37b775fd8d89739797899a0dcfdd672d8507247898376385b290
Opcode Fuzzy Hash: a8982a892bcb2140d984bd38d72c865f4b2f8fd6095c0d5287b27a86b1d893af
Instruction Fuzzy Hash: B0A14D32E0062A9FCF05DFA5C88499EB7B2FF85304F15856AE805BB261EB35AD45CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0265E648 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.350206965.0000000002650000.00000040.00000800.00020000.00000000.sdmp, Offset: 02650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2650000_gNrfORqjCV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24f56d4214cb5237878e23900763880f26ce7c87f2ff95fcf2a30e3f83d0b63d
Instruction ID: 6039f1da4149a4a52ea8408755825c97eced426f388ecb5b599c33c07d8ff958
Opcode Fuzzy Hash: 24f56d4214cb5237878e23900763880f26ce7c87f2ff95fcf2a30e3f83d0b63d
Instruction Fuzzy Hash: 42C13ABA912746FAE712DF24E89C3993B61FB85324F514228D1612B6D0DFBC1D4ACF48

Uniqueness

Uniqueness Score: -1.00%

Function 07E20007 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.391152313.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e20000_gNrfORqjCV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6caa39337a9b3099c5bbad0f08059c89e22a300cd96fd536492c97dd00f426e
Instruction ID: f07959f07ca74ccb1c9c2bf7d685dc0e16bcbb8a1620774298802673191eb48c
Opcode Fuzzy Hash: d6caa39337a9b3099c5bbad0f08059c89e22a300cd96fd536492c97dd00f426e
Instruction Fuzzy Hash: BB415C71E056548FE719CF6B8D4068AFFF3AFC9201F18C1FAC448AA265EB3409468F11

Uniqueness

Uniqueness Score: -1.00%

Function 07E20040 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.391152313.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e20000_gNrfORqjCV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2c7bb7aa51aad661f558c36d962c85314a2756a9568f2c43f885a057e415a79
Instruction ID: 34dd0c5b7b5416e029ce967ff0802ab7c661847bb5151363e08abfe581db37c9
Opcode Fuzzy Hash: b2c7bb7aa51aad661f558c36d962c85314a2756a9568f2c43f885a057e415a79
Instruction Fuzzy Hash: B54121B1E05A18CFEB58CF6B8D4079AFAF7AFC9201F14D1BA840CA6255EB3415868F11

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: GzGmImHFmOq.exePID: 5000, Parent PID: 1084COMMON

Execution Graph

Execution Coverage:	10.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	138
Total number of Limit Nodes:	7

Executed Functions

Function 0286FC80 Relevance: 1.8, APIs: 1, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.447564215.0000000002860000.00000040.00000800.00020000.00000000.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2860000_GzGmImHFmOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb85353c48ef7c1e1822641dd7dd992881c193d702cd11a753056b43a2d04c38
Instruction ID: a9530b7fc3020073cb90cf79671647a1faddc10d1a23a94d90c4d2b6fe4de87c
Opcode Fuzzy Hash: eb85353c48ef7c1e1822641dd7dd992881c193d702cd11a753056b43a2d04c38
Instruction Fuzzy Hash: 40919AB9C08388DFCB12CFA5D8909DDBFB1FF4A300F15819AE409AB262D3359956CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02869770 Relevance: 1.7, APIs: 1, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 028699B6

Memory Dump Source

Source File: 00000007.00000002.447564215.0000000002860000.00000040.00000800.00020000.00000000.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2860000_GzGmImHFmOq.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ea1ffa46faa24fe693bc7b15597e1216c53c8a25fb72fe166a63e4a419833628
Instruction ID: 2f5367eab02cfa5e68aa991cc643a763f913bcfe2aad1fc516fcca0421ce6978
Opcode Fuzzy Hash: ea1ffa46faa24fe693bc7b15597e1216c53c8a25fb72fe166a63e4a419833628
Instruction Fuzzy Hash: E4712478A00B058FD724DF6AD54476ABBF1BF88304F10892ED48AD7A90D735E849CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0286DD28 Relevance: 1.6, APIs: 1, Instructions: 129
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0286FEEA

Memory Dump Source

Source File: 00000007.00000002.447564215.0000000002860000.00000040.00000800.00020000.00000000.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2860000_GzGmImHFmOq.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 451b8917b223f84e5b641fb578eb51a60527fea4af2294d048d703631e8e88b3
Instruction ID: 1250efb79b2685cff0d3763a95ac2270e9568488c630183268d8382434cd25e8
Opcode Fuzzy Hash: 451b8917b223f84e5b641fb578eb51a60527fea4af2294d048d703631e8e88b3
Instruction Fuzzy Hash: 025114B5D04349DFDB10CFA9D884ADEBFB5BF49304F24812AE419AB211D7749845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0286DD44 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0286FEEA

Memory Dump Source

Source File: 00000007.00000002.447564215.0000000002860000.00000040.00000800.00020000.00000000.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2860000_GzGmImHFmOq.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 506c83ff9e33d1ac3de0798d3aa174075a688a5bf67855c44554c99540ec0a9a
Instruction ID: 28627b1b4e3e43b87df72ac941e26c10db70bb37f4bb25f9ae1df054bc9d6c51
Opcode Fuzzy Hash: 506c83ff9e33d1ac3de0798d3aa174075a688a5bf67855c44554c99540ec0a9a
Instruction Fuzzy Hash: FB51E0B5D00309DFDB14CF9AD884ADEBFB5BF48314F24812AE819AB610D771A885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02863DE4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02865421

Memory Dump Source

Source File: 00000007.00000002.447564215.0000000002860000.00000040.00000800.00020000.00000000.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2860000_GzGmImHFmOq.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d36a63c93cca79662c8c1252723973ee6df31cc95da9e799b2fd6503bc34da53
Instruction ID: d0db90581adb31e90bee8eb6a383c63e92213722d20dddac0c0ed8ad745e94c3
Opcode Fuzzy Hash: d36a63c93cca79662c8c1252723973ee6df31cc95da9e799b2fd6503bc34da53
Instruction Fuzzy Hash: 1641F2B4C0021DCFDB24DFA9C94879DBBB5BF49304F5080A9D409BB250D7B56985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0286536F Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02865421

Memory Dump Source

Source File: 00000007.00000002.447564215.0000000002860000.00000040.00000800.00020000.00000000.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2860000_GzGmImHFmOq.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: bc2450eed782f3dfa335845b7cf495ae3ee2c289ec8df674233797e7cc8d7f11
Instruction ID: d9c5d251acfbbd385a61d655ab499f3e0f23b21deebba82c943fb4f636b6c440
Opcode Fuzzy Hash: bc2450eed782f3dfa335845b7cf495ae3ee2c289ec8df674233797e7cc8d7f11
Instruction Fuzzy Hash: B841B0B5C0021DCEDB24DFA9C98879DBBB5BF49304F6080AAD419BB250D7B56985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02869707 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0286B95E,?,?,?,?,?), ref: 0286BA1F

Memory Dump Source

Source File: 00000007.00000002.447564215.0000000002860000.00000040.00000800.00020000.00000000.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2860000_GzGmImHFmOq.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a21fba2e663e1d22fdbfdb0820e735616f4c34017fc73521890db25714a9448f
Instruction ID: 0d90c29f5e9a9d6b78ef302e1b8cd3a340e398a07ac743c456449110dab27d39
Opcode Fuzzy Hash: a21fba2e663e1d22fdbfdb0820e735616f4c34017fc73521890db25714a9448f
Instruction Fuzzy Hash: D12128B59002489FDB00CFAAD988AEEBFF4FB48314F14805AE914F7210D375A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02869710 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0286B95E,?,?,?,?,?), ref: 0286BA1F

Memory Dump Source

Source File: 00000007.00000002.447564215.0000000002860000.00000040.00000800.00020000.00000000.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2860000_GzGmImHFmOq.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 08dc81eeb3de4fc3b6171c3eb86ad47c56de3d72b5ec4a69b6cac0c09a81d94e
Instruction ID: fde0228f15366b25b7b92f328f7ad0369ef387f0348a3e659ef120e8bda9b4bb
Opcode Fuzzy Hash: 08dc81eeb3de4fc3b6171c3eb86ad47c56de3d72b5ec4a69b6cac0c09a81d94e
Instruction Fuzzy Hash: B12103B59002489FDB10CF9AD988AEEBBF4EB48324F14801AE919F7310D375A954DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0286B990 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0286B95E,?,?,?,?,?), ref: 0286BA1F

Memory Dump Source

Source File: 00000007.00000002.447564215.0000000002860000.00000040.00000800.00020000.00000000.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2860000_GzGmImHFmOq.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d8a8f3723f5698e41a2ed90310a5919795df8696b33028b582c96e0fc0e5f1c0
Instruction ID: 0b4b50d650800ec42ed6ff6004423f63cd8c71ab4e04f41290ce676bd996d3b8
Opcode Fuzzy Hash: d8a8f3723f5698e41a2ed90310a5919795df8696b33028b582c96e0fc0e5f1c0
Instruction Fuzzy Hash: D92105B5D002089FCB10CF9AD984AEEBFF4EB48314F14801AE918B7310D375A954DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02869BD3 Relevance: 1.6, APIs: 1, Instructions: 60
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02869A31,00000800,00000000,00000000), ref: 02869C42

Memory Dump Source

Source File: 00000007.00000002.447564215.0000000002860000.00000040.00000800.00020000.00000000.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2860000_GzGmImHFmOq.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 88894ac55e57b0242c76b8f71f2218ff81dfef40d5939fbecaf3c80a706cd0b1
Instruction ID: f9bb060c00adb84d91fdf2a0ea882545f112641fb8fb8afbbd1c753995e87b3e
Opcode Fuzzy Hash: 88894ac55e57b0242c76b8f71f2218ff81dfef40d5939fbecaf3c80a706cd0b1
Instruction Fuzzy Hash: 2F2147BAD00249CFDB10CF9AD488ADEFBF4FB98724F10842AD519A7640C375A549CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02869388 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02869A31,00000800,00000000,00000000), ref: 02869C42

Memory Dump Source

Source File: 00000007.00000002.447564215.0000000002860000.00000040.00000800.00020000.00000000.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2860000_GzGmImHFmOq.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0c6f152d7e3b36dd3dfb53add6736edd7daf44c7c940c1e3b518d6f4ce899ab3
Instruction ID: eba74e102ec2fcecd05d4703fb54b4c6574a92e9b2b56700d7aa6d2ee4dbc46e
Opcode Fuzzy Hash: 0c6f152d7e3b36dd3dfb53add6736edd7daf44c7c940c1e3b518d6f4ce899ab3
Instruction Fuzzy Hash: 1E1114BAD002499FDB10CF9AC448AEEFBF5EB48714F10842EE419BB640C375A549CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07892E60 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 07892EC0

Memory Dump Source

Source File: 00000007.00000002.470556295.0000000007890000.00000040.00000800.00020000.00000000.sdmp, Offset: 07890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7890000_GzGmImHFmOq.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: ba52022b15ae627c3e8d68dac07728aedeaa34c6dbedcaf315ea77d0da3b0d47
Instruction ID: 565752379dbe1c25c54ac051216abfeb6e704c00b99549cdc99e13f57365c910
Opcode Fuzzy Hash: ba52022b15ae627c3e8d68dac07728aedeaa34c6dbedcaf315ea77d0da3b0d47
Instruction Fuzzy Hash: E21128B18002499FCB10CF9AC584BDEBFF4FB48320F14846AD859A7641D378A684CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07892E68 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 07892EC0

Memory Dump Source

Source File: 00000007.00000002.470556295.0000000007890000.00000040.00000800.00020000.00000000.sdmp, Offset: 07890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7890000_GzGmImHFmOq.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 3728145a1330e588b0427e9891ad10f98ae10e4da4502e452d4a55f81fd35b5f
Instruction ID: 41f1b4b706cf8e395bd36feff1f9184447a33d857a14a706c43311f476a62d51
Opcode Fuzzy Hash: 3728145a1330e588b0427e9891ad10f98ae10e4da4502e452d4a55f81fd35b5f
Instruction Fuzzy Hash: 251103B19002499FCB10CF9AC584BDEBBF4FB48320F14842AD959A7640D778A688CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02869950 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 028699B6

Memory Dump Source

Source File: 00000007.00000002.447564215.0000000002860000.00000040.00000800.00020000.00000000.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2860000_GzGmImHFmOq.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6b4dd8d2b78f167a756fafa961ece0d8c955780a41a54631daea0667a24e5dec
Instruction ID: eddbb609630a93f1685aca83dc57cf59907ec44ddf42c8e2442cdecc658bc38f
Opcode Fuzzy Hash: 6b4dd8d2b78f167a756fafa961ece0d8c955780a41a54631daea0667a24e5dec
Instruction Fuzzy Hash: AC1102B5C002498FCB10CF9AC448BDEFBF4AB89224F14842AD459B7600C375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07891D40 Relevance: 1.5, APIs: 1, Instructions: 45
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 07891DA5

Memory Dump Source

Source File: 00000007.00000002.470556295.0000000007890000.00000040.00000800.00020000.00000000.sdmp, Offset: 07890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7890000_GzGmImHFmOq.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 8394f92da28365b68a83bef55cf96c655aa75a6fa66edb4c5562389e91200308
Instruction ID: 65f46d5aa44c00fd9d4fb1e5d984c56bb8af76b71cdd297aa6d518076dc907b8
Opcode Fuzzy Hash: 8394f92da28365b68a83bef55cf96c655aa75a6fa66edb4c5562389e91200308
Instruction Fuzzy Hash: FD1110B6C003499FCB10CF99C588BDEBBF8BB48320F14881AE455A7600C375A684CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07891D48 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 07891DA5

Memory Dump Source

Source File: 00000007.00000002.470556295.0000000007890000.00000040.00000800.00020000.00000000.sdmp, Offset: 07890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7890000_GzGmImHFmOq.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 8e78ca83c3138d0518671386dab101f01780baaa7b9ba5ae6b5e6c81164ba40a
Instruction ID: a91f38ee38ffd8f24da7bac8ab123ec57b3d6636674ecb368d4903ba3a77d956
Opcode Fuzzy Hash: 8e78ca83c3138d0518671386dab101f01780baaa7b9ba5ae6b5e6c81164ba40a
Instruction Fuzzy Hash: DF11E5B5C003499FDB10CF9AC988BDEBFF8EB49324F14841AE955A7600C375A584CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 053BFD10 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.469632998.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_53b0000_GzGmImHFmOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 403dfbe8edd7e6dce368254e79b6912d4f5302ea233da9ee1bcf5d87eca74548
Instruction ID: 78e193f6cf46821e57f59addc0aa4d6935a171d378b6cbbc1354eee766d33b04
Opcode Fuzzy Hash: 403dfbe8edd7e6dce368254e79b6912d4f5302ea233da9ee1bcf5d87eca74548
Instruction Fuzzy Hash: 1131B475E012189FDB14DFA9D854AEEBBB2FF88300F14802AD515B7350EB355A42DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00ECD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.445013680.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ecd000_GzGmImHFmOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0384382a5c328823d7e3703bbd859d9e7b4e732d1dd30ca7e51fdc3f8727ff01
Instruction ID: 649c4fbc997de71116e8b05cd056ff9b863557b16cbef4f82f19258177d0ade3
Opcode Fuzzy Hash: 0384382a5c328823d7e3703bbd859d9e7b4e732d1dd30ca7e51fdc3f8727ff01
Instruction Fuzzy Hash: 122124B1508240DFDB09DF04DAC0F1ABB65FB94324F20867DD9095B206C337E857D6A1

Uniqueness

Uniqueness Score: -1.00%

Function 00EDD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.445142308.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_edd000_GzGmImHFmOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fc4bcfbbb996ec74b251d09e7083b14e289c8d72b85057e2621016468671e21
Instruction ID: 75051d898f41f1cecb993ed4aa82e3a667347e01ada4c9e8d5e5177a505aaa51
Opcode Fuzzy Hash: 9fc4bcfbbb996ec74b251d09e7083b14e289c8d72b85057e2621016468671e21
Instruction Fuzzy Hash: 8B21F275608240DFDB15DF24D9C0B16BBA6FBC8328F24CA6AD84A5B346C336D847DA61

Uniqueness

Uniqueness Score: -1.00%

Function 00EDD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.445142308.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_edd000_GzGmImHFmOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c28f13770436d5d00eab0da092d417879ca369ab57c785f15ebba35177e5b4f8
Instruction ID: 7721cb94cb6943baeb729902031c4c2e5f15467f62f9116a917cc52b3eff6480
Opcode Fuzzy Hash: c28f13770436d5d00eab0da092d417879ca369ab57c785f15ebba35177e5b4f8
Instruction Fuzzy Hash: 0321F271508240EFDB05DF54D9C0B26BBA5FB84328F24CA6AE8496B366C336D847DA61

Uniqueness

Uniqueness Score: -1.00%

Function 00EDD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.445142308.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_edd000_GzGmImHFmOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c0468dd87458ccb402b8e5b9cab3f95bfdd48c5c85264768a207b3e93da8afa
Instruction ID: 940da08c4c90fdcd5df2b899337235acb1147ac2de9bc3f6af4b944afa0afe86
Opcode Fuzzy Hash: 8c0468dd87458ccb402b8e5b9cab3f95bfdd48c5c85264768a207b3e93da8afa
Instruction Fuzzy Hash: 4A21717550D3808FD712CF24D990715BF71EB86314F29C5EBD8458B657C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00ECD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.445013680.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ecd000_GzGmImHFmOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3d282c62180620417641dd9b9a0e49e7b7255b4f86f8dc055538552fd58bc37
Instruction ID: 959393b3eb6ee2e4f200dff1d7a45ebd14a8f961575d6e0307b4be9ef89d868a
Opcode Fuzzy Hash: b3d282c62180620417641dd9b9a0e49e7b7255b4f86f8dc055538552fd58bc37
Instruction Fuzzy Hash: 1B11DF72404280DFCB16CF00DAC0B16BF71FB94324F2486ADD9095B616C33BE856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EDD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.445142308.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_edd000_GzGmImHFmOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f825cc49a36603e58b05d30dbcded4ff69a659c0c942629433790640a090c2f4
Instruction ID: 59cbf1b1fdee9fa7c7813839f7c674cc964e73132a7d7a89f923488196393b3f
Opcode Fuzzy Hash: f825cc49a36603e58b05d30dbcded4ff69a659c0c942629433790640a090c2f4
Instruction Fuzzy Hash: 5B11BE75508280DFCB01CF10C9C0B15BBB1FB84328F24C6AED8495B766C33AD85ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 00ECD745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.445013680.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ecd000_GzGmImHFmOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b9a63b039aebc17b8159c7a7ff42e765eca1959e208154a445e1576e61aad4d
Instruction ID: 2a46cf0c50dace98c341cd16d1059bdea92573950a708ca1495bcacd0f47c59e
Opcode Fuzzy Hash: 6b9a63b039aebc17b8159c7a7ff42e765eca1959e208154a445e1576e61aad4d
Instruction Fuzzy Hash: 6601F73150C380AAE7104E15CE84FA6BF98EF41734F18956FED052F642C37B9846D6B1

Uniqueness

Uniqueness Score: -1.00%

Function 00ECD744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.445013680.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ecd000_GzGmImHFmOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f115aeecb4d69613edb7c65bfcb9f7bd941ff481501628d18443edb01a30941a
Instruction ID: 65b9b440051b9f0545283ec3cd96e59c3a046aa8bf23f19a17755dc49bd566ed
Opcode Fuzzy Hash: f115aeecb4d69613edb7c65bfcb9f7bd941ff481501628d18443edb01a30941a
Instruction Fuzzy Hash: 1AF068715042849EE7108E15CDC4B62FF98EB91734F18D55FED085F646C3769845CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 053BFBB8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.469632998.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_53b0000_GzGmImHFmOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29b7ad858d2bcee581a3f42eab429a6de85c97baf0cb3d0e7ebe942dc0cb097e
Instruction ID: 471b09d1526888ceff7a50eee3a5019f61eedeaa360e988bac6e979569cb4453
Opcode Fuzzy Hash: 29b7ad858d2bcee581a3f42eab429a6de85c97baf0cb3d0e7ebe942dc0cb097e
Instruction Fuzzy Hash: D5E0C238900208EFCB14DFA8D444A9CBBB4FF48300F1080A9E90567320D631AA55DF81

Uniqueness

Uniqueness Score: -1.00%

Function 053BFE60 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.469632998.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_53b0000_GzGmImHFmOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b26b7c8be73823c8ab562f53217c8f36a429bfc6a7f6544bfe43599868ffd87
Instruction ID: ab40ee53358648ad0ffe02cfc2187a5a609d3a7d524337d141d1618de0bcc972
Opcode Fuzzy Hash: 2b26b7c8be73823c8ab562f53217c8f36a429bfc6a7f6544bfe43599868ffd87
Instruction Fuzzy Hash: 78E01270D10208EFCB64DFA9D40069DBBF4FB48300F1080AAD808A7300EB35AA91EF84

Uniqueness

Uniqueness Score: -1.00%

Function 053BFF30 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.469632998.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_53b0000_GzGmImHFmOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e8733604ee7d068fa2174a3f64a4d147d97d58580f47131308936b22f25fb9c
Instruction ID: 50e9aae599772c63e7d6b1d1a7aaa7d40d2f1cf61c46ce296fe6955e663a4c9c
Opcode Fuzzy Hash: 3e8733604ee7d068fa2174a3f64a4d147d97d58580f47131308936b22f25fb9c
Instruction Fuzzy Hash: F8E0B674D15208EFDB64DFA9E44569DBFF4FB48300F1081A9D919A3340EA746A46DF81

Uniqueness

Uniqueness Score: -1.00%

Function 053BFB18 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.469632998.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_53b0000_GzGmImHFmOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a612ccdafe4d3a47b1e1a7d99c6764b490ce51d4a90028a55e9126442cfd3b69
Instruction ID: cd33eaebec70fd62c59f195cd6fc8282610ffc338e96d8741ef9499575d285bb
Opcode Fuzzy Hash: a612ccdafe4d3a47b1e1a7d99c6764b490ce51d4a90028a55e9126442cfd3b69
Instruction Fuzzy Hash: 26E01230E05208EFDB64EFA8D40529DBBB4AB48300F2080AAC808A7300EB755A42CF80

Uniqueness

Uniqueness Score: -1.00%

Function 053BFC08 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.469632998.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_53b0000_GzGmImHFmOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19ab000a1ed73017268e890f0de739704c6a643afe57f73c1eb8e718a8f3204a
Instruction ID: 2ebb9059e3fd3acde4b3f3b3b2bf7205e5fe87992c05e337080397e74062e082
Opcode Fuzzy Hash: 19ab000a1ed73017268e890f0de739704c6a643afe57f73c1eb8e718a8f3204a
Instruction Fuzzy Hash: B2E04F34910208EFCB14DFA8D84499CBFB4FF09311F108098E90517320C731AE55DF80

Uniqueness

Uniqueness Score: -1.00%

Function 053BFCD0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.469632998.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_53b0000_GzGmImHFmOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbd45222d3fc36ea8cf6d483b5bfc67685bb4c393ea806042363b4e8aec80d7e
Instruction ID: f053aa4a89d9d2754782f2a8bca46a145ab62a413b66faca93fe4e3cb3171b16
Opcode Fuzzy Hash: fbd45222d3fc36ea8cf6d483b5bfc67685bb4c393ea806042363b4e8aec80d7e
Instruction Fuzzy Hash: 0DE0EC30D212089FCB50DFB8D84969DBFB8BB04201F5040A9D90993240EA705A45CB41

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: gNrfORqjCV.exePID: 5320, Parent PID: 5240COMMON

Execution Graph

Execution Coverage:	12.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	193
Total number of Limit Nodes:	7

Executed Functions

Function 06C13558 Relevance: 1.7, APIs: 1, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.575417625.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c10000_gNrfORqjCV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ec866c36c165d14cea2ae8f2afbd0d5d13d90367aa3efdb06f8a31933834036
Instruction ID: c05a9fcc15d49c7934eda4afaed6eb207aa2da2dc49d92f488cbfeab3ae867b4
Opcode Fuzzy Hash: 5ec866c36c165d14cea2ae8f2afbd0d5d13d90367aa3efdb06f8a31933834036
Instruction Fuzzy Hash: 448187B1D0024DCFDB50DFA9C9806DEBBB5FF4A714F20852AD819AB240DB709A85DF91

Uniqueness

Uniqueness Score: -1.00%

Function 02EE93E8 Relevance: 1.7, APIs: 1, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 02EE962E

Memory Dump Source

Source File: 00000008.00000002.561586339.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_gNrfORqjCV.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6222bff6ba38974225988d64148ca98e045bbc101577335e3efdf86c6432f631
Instruction ID: 581cf48222de302051aff197c78137904eb287ec60210ef7766cdf78a2774442
Opcode Fuzzy Hash: 6222bff6ba38974225988d64148ca98e045bbc101577335e3efdf86c6432f631
Instruction Fuzzy Hash: 94711670A00B058FDB64DF2AC48579ABBF1FF88314F00892EE48AD7A51DB75E8458B91

Uniqueness

Uniqueness Score: -1.00%

Function 02EEFB20 Relevance: 1.7, APIs: 1, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02EEFD0A

Memory Dump Source

Source File: 00000008.00000002.561586339.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_gNrfORqjCV.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: aaa68ff642c6bec51a4b25218e12a96ef279174d768d8fddfa4765d9286095a6
Instruction ID: 40d384362976bd42961572ecdaf7378f582e40b69f3784661ddab34385025f22
Opcode Fuzzy Hash: aaa68ff642c6bec51a4b25218e12a96ef279174d768d8fddfa4765d9286095a6
Instruction Fuzzy Hash: DC6132B2C043899FCB11CFA9C880ACEBFB1FF49314F29816AE415AB252D774A945CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02EEFB98 Relevance: 1.6, APIs: 1, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02EEFD0A

Memory Dump Source

Source File: 00000008.00000002.561586339.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_gNrfORqjCV.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: bda36135535273e17ac5c2089f9c85ab26069aeb4a0aba3761815f7bbeeebfb0
Instruction ID: 414247fd00dd10fe56dafe0b37c195be66578da077dbfd9d401ff2b18785ccd5
Opcode Fuzzy Hash: bda36135535273e17ac5c2089f9c85ab26069aeb4a0aba3761815f7bbeeebfb0
Instruction Fuzzy Hash: E15101B1C00249AFDF01CFA9C980ACEBFB5FF49314F25816AE909AB220D7719995CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06C13604 Relevance: 1.6, APIs: 1, Instructions: 143
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06C13738

Memory Dump Source

Source File: 00000008.00000002.575417625.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c10000_gNrfORqjCV.jbxd

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: b3e1a9dddf9f97a51087a52728a9a588903b95024aeabcddb33cd1d24eacf1aa
Instruction ID: 08b902ee36cf58486e150a9685bd10f777264d783de4e2230ad4425f7923744a
Opcode Fuzzy Hash: b3e1a9dddf9f97a51087a52728a9a588903b95024aeabcddb33cd1d24eacf1aa
Instruction Fuzzy Hash: 8D5142B1D0069DCFDB50CFA9C9806DDBBB1FF49314F24802AE819AB250DBB49985DF90

Uniqueness

Uniqueness Score: -1.00%

Function 06C1190C Relevance: 1.6, APIs: 1, Instructions: 140
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06C13738

Memory Dump Source

Source File: 00000008.00000002.575417625.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c10000_gNrfORqjCV.jbxd

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: 48aebf8da9b5b988f7edb59fdffd2b685b7321e6f9b98fcd68862195c956f6e1
Instruction ID: 3247af73ccc32081b7a91380bd37a3a7ee317260516afc8108e79eeb508e6276
Opcode Fuzzy Hash: 48aebf8da9b5b988f7edb59fdffd2b685b7321e6f9b98fcd68862195c956f6e1
Instruction Fuzzy Hash: EB5135B1D0065DCFCB50CFA9C9806DDBBB1FF49314F24802AE809AB250DBB49985DF90

Uniqueness

Uniqueness Score: -1.00%

Function 02EEDA04 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02EEFD0A

Memory Dump Source

Source File: 00000008.00000002.561586339.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_gNrfORqjCV.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 3b1e070ecc29434164b85feb182bbaed2610156a71022aadc9a0c0976920b7f2
Instruction ID: 38843cd51926e54303229da7380c7aeb7b7efbcba57c0fbf611c4bbd2251ea73
Opcode Fuzzy Hash: 3b1e070ecc29434164b85feb182bbaed2610156a71022aadc9a0c0976920b7f2
Instruction Fuzzy Hash: A751ACB1D003099FDF14CFAAC984ADEBBB5BF48714F24912AE819AB210D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02EEA14C Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02EEBCC6,?,?,?,?,?), ref: 02EEBD87

Memory Dump Source

Source File: 00000008.00000002.561586339.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_gNrfORqjCV.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e72c73819ffb0b8984c71729803af3816728847fbec27df6fc25b9441d2f6b9d
Instruction ID: b2a1aa0a98df195e46541715a772b14962ad91be7de451dc01a8923bec372c2e
Opcode Fuzzy Hash: e72c73819ffb0b8984c71729803af3816728847fbec27df6fc25b9441d2f6b9d
Instruction Fuzzy Hash: 0F2103B5900209EFCB10CF9AD984ADEBBF4FB48324F14841AE915A7310C374A940CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02EEBCF9 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02EEBCC6,?,?,?,?,?), ref: 02EEBD87

Memory Dump Source

Source File: 00000008.00000002.561586339.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_gNrfORqjCV.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0d3a61ed5d2d6ccec66513842e95aa124fd997b8fb990f50a26704ee2c7cb9d1
Instruction ID: ef5705404c3d31f7bbeabd4f1bd6ae2027847fc7ea890891560489b3567f9c22
Opcode Fuzzy Hash: 0d3a61ed5d2d6ccec66513842e95aa124fd997b8fb990f50a26704ee2c7cb9d1
Instruction Fuzzy Hash: 4121E3B59002499FDB10CFA9D584ADEBBF4FB48324F14851AE955B7210C378A954DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02EE8768 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,02EE96A9,00000800,00000000,00000000), ref: 02EE98BA

Memory Dump Source

Source File: 00000008.00000002.561586339.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_gNrfORqjCV.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 20be7fe479c9202f2d63aceb31c8832ac092b4a9db013f06e7c850f33b054147
Instruction ID: 7a858e463f5bcdd8a6ead6b20a8ad931b9b8208fe6a41be4ef90dd961312a364
Opcode Fuzzy Hash: 20be7fe479c9202f2d63aceb31c8832ac092b4a9db013f06e7c850f33b054147
Instruction Fuzzy Hash: 141106B6D003098FCB10CF9AC444ADEBBF4EB48324F14842ED526A7610C374A545CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02EE9849 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,02EE96A9,00000800,00000000,00000000), ref: 02EE98BA

Memory Dump Source

Source File: 00000008.00000002.561586339.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_gNrfORqjCV.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5b2d395e3dc8b29d2802e696c8043885d960eeff8886632e576ae7b430b2047e
Instruction ID: 7a8a98c947b6a321d74e986aa901b94cdd26bc3c70d9b080c9e5f0c87514d2c4
Opcode Fuzzy Hash: 5b2d395e3dc8b29d2802e696c8043885d960eeff8886632e576ae7b430b2047e
Instruction Fuzzy Hash: D01114B6D003098FDB10CF9AC484ADEFBF4EB88324F14842AD46AA7610C3B4A545CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02EE95C8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 02EE962E

Memory Dump Source

Source File: 00000008.00000002.561586339.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_gNrfORqjCV.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4d3bbf24e398176ef19c9892de18ef7755714726e3d6031364cca9261ff377a2
Instruction ID: d82e47ce18a0190ed8f50206bab9e72cd63fe88a5fff367cde721995e1b3c817
Opcode Fuzzy Hash: 4d3bbf24e398176ef19c9892de18ef7755714726e3d6031364cca9261ff377a2
Instruction Fuzzy Hash: 0911E0B6D0074A8FCB10CF9AC544ADEFBF4EF88324F14846AD45AA7610C3B4A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02EEDA3C Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,02EEFE28,?,?,?,?), ref: 02EEFE9D

Memory Dump Source

Source File: 00000008.00000002.561586339.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_gNrfORqjCV.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: faadf0be8630e4442e07c100118ab06bf23dbb331213cbe4b682419da23aa424
Instruction ID: 5d40d04dc39517d37b5d9d30331bc3d238c5024ef4133e5000227d21f2cc5601
Opcode Fuzzy Hash: faadf0be8630e4442e07c100118ab06bf23dbb331213cbe4b682419da23aa424
Instruction Fuzzy Hash: 101136B59003498FCB10DF8AC584BDFBBF8EB48324F10845AE919A7701C3B4A940CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02EEFE38 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,02EEFE28,?,?,?,?), ref: 02EEFE9D

Memory Dump Source

Source File: 00000008.00000002.561586339.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_gNrfORqjCV.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: d35e10bbac886046d0f20b440f297b16119498bf5e95981c21dfbf889d00cfb0
Instruction ID: 823edf45a603a9241b999eb3b47a0b06cf8f3ae2661a5d191cbc1b0af80bc989
Opcode Fuzzy Hash: d35e10bbac886046d0f20b440f297b16119498bf5e95981c21dfbf889d00cfb0
Instruction Fuzzy Hash: A91133B59003099FDB10CF9AC584BDEBBF8EB48324F20845AD859B7700C3B4A980CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DFD1D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.558748614.0000000000DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_dfd000_gNrfORqjCV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46b57c5a63eded5372e00d01ef5566309f43ada794f13a4061a0eb3bda27c03e
Instruction ID: ac00cc78d1c7333c0c43bf00fe1c8547863b57bd9ff02cdc16e0f92bf331fc40
Opcode Fuzzy Hash: 46b57c5a63eded5372e00d01ef5566309f43ada794f13a4061a0eb3bda27c03e
Instruction Fuzzy Hash: CC210372504244EFDB05DF54D8C0B2ABF67FB88324F28C669EA450B246C336D856DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DFD4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.558748614.0000000000DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_dfd000_gNrfORqjCV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6548f6b15e376aad0c6870de3de8a719fa745e8b7d9810405050262f4b1125a7
Instruction ID: 7a26da304a092190f21069eaeef1e0966a113409e414c81810de5df6afa2ae7c
Opcode Fuzzy Hash: 6548f6b15e376aad0c6870de3de8a719fa745e8b7d9810405050262f4b1125a7
Instruction Fuzzy Hash: 1221E2B1504248DFDB05DF14D9C0B26BF67FB94328F24C569DA450A216C336D846D6B1

Uniqueness

Uniqueness Score: -1.00%

Function 00DFD1D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.558748614.0000000000DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_dfd000_gNrfORqjCV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f906f83a178082e7d7d0a07ac00f86b8a262bd51881fd340313f04e9881f9409
Instruction ID: f84448b7d93a847ca39f7ac6a8adf6b8a59f6ff708bdecd5080509ff31d8a650
Opcode Fuzzy Hash: f906f83a178082e7d7d0a07ac00f86b8a262bd51881fd340313f04e9881f9409
Instruction Fuzzy Hash: 6B21D676504244DFCB16CF50D9C4B26BF72FB84314F28C6AADD440B656C336D85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DFD49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.558748614.0000000000DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_dfd000_gNrfORqjCV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3d282c62180620417641dd9b9a0e49e7b7255b4f86f8dc055538552fd58bc37
Instruction ID: f2000757dc53832e859e44df247915e83cf50eedbac3270789113391752262e2
Opcode Fuzzy Hash: b3d282c62180620417641dd9b9a0e49e7b7255b4f86f8dc055538552fd58bc37
Instruction Fuzzy Hash: 0511D676504244CFDB16CF14D5C4B26BF72FB85324F28C6A9D9050B716C336D856CBA1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report gNrfORqjCV.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

AV Detection

E-Banking Fraud

Persistence and Installation Behavior

Stealing of Sensitive Information

Remote Access Functionality

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GzGmImHFmOq.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gNrfORqjCV.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1j2kljyl.nvz.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_amg03k4b.ntk.ps1

Windows Analysis Report
gNrfORqjCV.exe