Edit tour

Windows Analysis Report
gNrfORqjCV.exe

Overview

General Information

Sample Name:	gNrfORqjCV.exe
Analysis ID:	800437
MD5:	60c8d91adfa30a60afa2f5437ce7d041
SHA1:	f8460389f343481d7420073ad1da2f90ddedc696
SHA256:	5707c702f70cc5bf864e10aaab48f9300e3be0a7892d8faa1810145f0af93d2d
Tags:	exe
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Yara detected AntiVM3

Detected Nanocore Rat

Sigma detected: Scheduled temp file as task from temp location

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Adds a directory exclusion to Windows Defender

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses dynamic DNS services

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

gNrfORqjCV.exe (PID: 5240 cmdline: C:\Users\user\Desktop\gNrfORqjCV.exe MD5: 60C8D91ADFA30A60AFA2F5437CE7D041)

powershell.exe (PID: 492 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\gNrfORqjCV.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 5684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 1544 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 4720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 5936 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GzGmImHFmOq" /XML "C:\Users\user\AppData\Local\Temp\tmp78F4.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

gNrfORqjCV.exe (PID: 5320 cmdline: C:\Users\user\Desktop\gNrfORqjCV.exe MD5: 60C8D91ADFA30A60AFA2F5437CE7D041)

schtasks.exe (PID: 5256 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp2556.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 6016 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp27D7.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

GzGmImHFmOq.exe (PID: 5000 cmdline: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe MD5: 60C8D91ADFA30A60AFA2F5437CE7D041)

schtasks.exe (PID: 5660 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GzGmImHFmOq" /XML "C:\Users\user\AppData\Local\Temp\tmp389B.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

GzGmImHFmOq.exe (PID: 5544 cmdline: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe MD5: 60C8D91ADFA30A60AFA2F5437CE7D041)

gNrfORqjCV.exe (PID: 5248 cmdline: C:\Users\user\Desktop\gNrfORqjCV.exe 0 MD5: 60C8D91ADFA30A60AFA2F5437CE7D041)

powershell.exe (PID: 1252 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\gNrfORqjCV.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 5244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 400 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 1640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 5684 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GzGmImHFmOq" /XML "C:\Users\user\AppData\Local\Temp\tmpEAF8.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

gNrfORqjCV.exe (PID: 1324 cmdline: C:\Users\user\Desktop\gNrfORqjCV.exe MD5: 60C8D91ADFA30A60AFA2F5437CE7D041)

dhcpmon.exe (PID: 4544 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 MD5: 60C8D91ADFA30A60AFA2F5437CE7D041)

dhcpmon.exe (PID: 4720 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: 60C8D91ADFA30A60AFA2F5437CE7D041)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "cb7cb109-a06b-4fd7-8d0e-5290e77d", "Group": "MOFASA", "Domain1": "nonoise.duckdns.org", "Domain2": "127.0.0.1", "Port": 6060, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "", "BackupDNSServer": "84.200.70.40", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000017.00000002.436230882.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000017.00000002.436230882.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000017.00000002.436230882.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000017.00000002.436230882.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xff8d:$a1: NanoCore.ClientPluginHost 0xff4d:$a2: NanoCore.ClientPlugin 0x11ea6:$b1: get_BuilderSettings 0xfda9:$b2: ClientLoaderForm.resources 0x115c6:$b3: PluginCommand 0xff7e:$b4: IClientAppHost 0x1a3fe:$b5: GetBlockHash 0x124fe:$b6: AddHostEntry 0x161f1:$b7: LogClientException 0x1246b:$b8: PipeExists 0xffb7:$b9: IClientLoggingHost
00000000.00000002.350708235.0000000002AAE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000008.00000002.571677772.0000000005810000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000008.00000002.571677772.0000000005810000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000008.00000002.571677772.0000000005810000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
00000008.00000002.571677772.0000000005810000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
0000000F.00000002.394849296.0000000002F5E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000008.00000002.574171475.0000000005A70000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000008.00000002.574171475.0000000005A70000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000008.00000002.574171475.0000000005A70000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000002.574171475.0000000005A70000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
00000008.00000002.574171475.0000000005A70000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
00000017.00000002.440525605.0000000003939000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000017.00000002.440525605.0000000003939000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x435d5:$a: NanoCore 0x4362e:$a: NanoCore 0x4366b:$a: NanoCore 0x436e4:$a: NanoCore 0x56d8f:$a: NanoCore 0x56da4:$a: NanoCore 0x56dd9:$a: NanoCore 0x6fd7b:$a: NanoCore 0x6fd90:$a: NanoCore 0x6fdc5:$a: NanoCore 0x43637:$b: ClientPlugin 0x43674:$b: ClientPlugin 0x43f72:$b: ClientPlugin 0x43f7f:$b: ClientPlugin 0x56b4b:$b: ClientPlugin 0x56b66:$b: ClientPlugin 0x56b96:$b: ClientPlugin 0x56dad:$b: ClientPlugin 0x56de2:$b: ClientPlugin 0x6fb37:$b: ClientPlugin 0x6fb52:$b: ClientPlugin
00000017.00000002.440525605.0000000003939000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4366b:$a1: NanoCore.ClientPluginHost 0x56dd9:$a1: NanoCore.ClientPluginHost 0x6fdc5:$a1: NanoCore.ClientPluginHost 0x4362e:$a2: NanoCore.ClientPlugin 0x56da4:$a2: NanoCore.ClientPlugin 0x6fd90:$a2: NanoCore.ClientPlugin 0x43a02:$b1: get_BuilderSettings 0x5bd1f:$b1: get_BuilderSettings 0x74d0b:$b1: get_BuilderSettings 0x436b9:$b4: IClientAppHost 0x43a73:$b6: AddHostEntry 0x43ae2:$b7: LogClientException 0x5bc8e:$b7: LogClientException 0x74c7a:$b7: LogClientException 0x43a57:$b8: PipeExists 0x436a6:$b9: IClientLoggingHost 0x56df3:$b9: IClientLoggingHost 0x6fddf:$b9: IClientLoggingHost
0000000E.00000002.425767553.00000000042E7000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x44b3d:$x1: NanoCore.ClientPluginHost 0x7775d:$x1: NanoCore.ClientPluginHost 0xaa17d:$x1: NanoCore.ClientPluginHost 0x44b7a:$x2: IClientNetworkHost 0x7779a:$x2: IClientNetworkHost 0xaa1ba:$x2: IClientNetworkHost 0x486ad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7b2cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xadced:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000002.425767553.00000000042E7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.425767553.00000000042E7000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x448a5:$a: NanoCore 0x448b5:$a: NanoCore 0x44ae9:$a: NanoCore 0x44afd:$a: NanoCore 0x44b3d:$a: NanoCore 0x774c5:$a: NanoCore 0x774d5:$a: NanoCore 0x77709:$a: NanoCore 0x7771d:$a: NanoCore 0x7775d:$a: NanoCore 0xa9ee5:$a: NanoCore 0xa9ef5:$a: NanoCore 0xaa129:$a: NanoCore 0xaa13d:$a: NanoCore 0xaa17d:$a: NanoCore 0x44904:$b: ClientPlugin 0x44b06:$b: ClientPlugin 0x44b46:$b: ClientPlugin 0x77524:$b: ClientPlugin 0x77726:$b: ClientPlugin 0x77766:$b: ClientPlugin
0000000E.00000002.425767553.00000000042E7000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x44b3d:$a1: NanoCore.ClientPluginHost 0x7775d:$a1: NanoCore.ClientPluginHost 0xaa17d:$a1: NanoCore.ClientPluginHost 0x44afd:$a2: NanoCore.ClientPlugin 0x7771d:$a2: NanoCore.ClientPlugin 0xaa13d:$a2: NanoCore.ClientPlugin 0x46a56:$b1: get_BuilderSettings 0x79676:$b1: get_BuilderSettings 0xac096:$b1: get_BuilderSettings 0x44959:$b2: ClientLoaderForm.resources 0x77579:$b2: ClientLoaderForm.resources 0xa9f99:$b2: ClientLoaderForm.resources 0x46176:$b3: PluginCommand 0x78d96:$b3: PluginCommand 0xab7b6:$b3: PluginCommand 0x44b2e:$b4: IClientAppHost 0x7774e:$b4: IClientAppHost 0xaa16e:$b4: IClientAppHost 0x4efae:$b5: GetBlockHash 0x81bce:$b5: GetBlockHash 0xb45ee:$b5: GetBlockHash
00000008.00000002.561827065.0000000003059000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x70e9:$a1: NanoCore.ClientPluginHost 0x70ac:$a2: NanoCore.ClientPlugin 0x7480:$b1: get_BuilderSettings 0x7137:$b4: IClientAppHost 0x74f1:$b6: AddHostEntry 0x7560:$b7: LogClientException 0x74d5:$b8: PipeExists 0x7124:$b9: IClientLoggingHost
00000000.00000002.356107386.0000000003E97000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x44bc5:$x1: NanoCore.ClientPluginHost 0x777e5:$x1: NanoCore.ClientPluginHost 0xaa205:$x1: NanoCore.ClientPluginHost 0x44c02:$x2: IClientNetworkHost 0x77822:$x2: IClientNetworkHost 0xaa242:$x2: IClientNetworkHost 0x48735:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7b355:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xadd75:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.356107386.0000000003E97000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.356107386.0000000003E97000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4492d:$a: NanoCore 0x4493d:$a: NanoCore 0x44b71:$a: NanoCore 0x44b85:$a: NanoCore 0x44bc5:$a: NanoCore 0x7754d:$a: NanoCore 0x7755d:$a: NanoCore 0x77791:$a: NanoCore 0x777a5:$a: NanoCore 0x777e5:$a: NanoCore 0xa9f6d:$a: NanoCore 0xa9f7d:$a: NanoCore 0xaa1b1:$a: NanoCore 0xaa1c5:$a: NanoCore 0xaa205:$a: NanoCore 0x4498c:$b: ClientPlugin 0x44b8e:$b: ClientPlugin 0x44bce:$b: ClientPlugin 0x775ac:$b: ClientPlugin 0x777ae:$b: ClientPlugin 0x777ee:$b: ClientPlugin
00000000.00000002.356107386.0000000003E97000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x44bc5:$a1: NanoCore.ClientPluginHost 0x777e5:$a1: NanoCore.ClientPluginHost 0xaa205:$a1: NanoCore.ClientPluginHost 0x44b85:$a2: NanoCore.ClientPlugin 0x777a5:$a2: NanoCore.ClientPlugin 0xaa1c5:$a2: NanoCore.ClientPlugin 0x46ade:$b1: get_BuilderSettings 0x796fe:$b1: get_BuilderSettings 0xac11e:$b1: get_BuilderSettings 0x449e1:$b2: ClientLoaderForm.resources 0x77601:$b2: ClientLoaderForm.resources 0xaa021:$b2: ClientLoaderForm.resources 0x461fe:$b3: PluginCommand 0x78e1e:$b3: PluginCommand 0xab83e:$b3: PluginCommand 0x44bb6:$b4: IClientAppHost 0x777d6:$b4: IClientAppHost 0xaa1f6:$b4: IClientAppHost 0x4f036:$b5: GetBlockHash 0x81c56:$b5: GetBlockHash 0xb4676:$b5: GetBlockHash
00000017.00000002.439566387.0000000002931000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000017.00000002.439566387.0000000002931000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x69367:$a: NanoCore 0x693c0:$a: NanoCore 0x693fd:$a: NanoCore 0x69476:$a: NanoCore 0x693c9:$b: ClientPlugin 0x69406:$b: ClientPlugin 0x69d04:$b: ClientPlugin 0x69d11:$b: ClientPlugin 0x5f4de:$e: KeepAlive 0x69851:$g: LogClientMessage 0x697d1:$i: get_Connected 0x5979d:$j: #=q 0x597cd:$j: #=q 0x59809:$j: #=q 0x59831:$j: #=q 0x59861:$j: #=q 0x59891:$j: #=q 0x598c1:$j: #=q 0x598f1:$j: #=q 0x5990d:$j: #=q 0x5993d:$j: #=q
00000017.00000002.439566387.0000000002931000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x693fd:$a1: NanoCore.ClientPluginHost 0x693c0:$a2: NanoCore.ClientPlugin 0x5acd7:$b1: get_BuilderSettings 0x69794:$b1: get_BuilderSettings 0x6944b:$b4: IClientAppHost 0x69805:$b6: AddHostEntry 0x5ac46:$b7: LogClientException 0x69874:$b7: LogClientException 0x697e9:$b8: PipeExists 0x69438:$b9: IClientLoggingHost
0000001C.00000002.476397038.0000000003191000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001C.00000002.476397038.0000000003191000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x69433:$a: NanoCore 0x6948c:$a: NanoCore 0x694c9:$a: NanoCore 0x69542:$a: NanoCore 0x69495:$b: ClientPlugin 0x694d2:$b: ClientPlugin 0x69dd0:$b: ClientPlugin 0x69ddd:$b: ClientPlugin 0x5f5aa:$e: KeepAlive 0x6991d:$g: LogClientMessage 0x6989d:$i: get_Connected 0x59869:$j: #=q 0x59899:$j: #=q 0x598d5:$j: #=q 0x598fd:$j: #=q 0x5992d:$j: #=q 0x5995d:$j: #=q 0x5998d:$j: #=q 0x599bd:$j: #=q 0x599d9:$j: #=q 0x59a09:$j: #=q
0000001C.00000002.476397038.0000000003191000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x694c9:$a1: NanoCore.ClientPluginHost 0x6948c:$a2: NanoCore.ClientPlugin 0x5ada3:$b1: get_BuilderSettings 0x69860:$b1: get_BuilderSettings 0x69517:$b4: IClientAppHost 0x698d1:$b6: AddHostEntry 0x5ad12:$b7: LogClientException 0x69940:$b7: LogClientException 0x698b5:$b8: PipeExists 0x69504:$b9: IClientLoggingHost
00000007.00000002.463703676.0000000003F1F000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x457b5:$x1: NanoCore.ClientPluginHost 0x783d5:$x1: NanoCore.ClientPluginHost 0xaadf5:$x1: NanoCore.ClientPluginHost 0x457f2:$x2: IClientNetworkHost 0x78412:$x2: IClientNetworkHost 0xaae32:$x2: IClientNetworkHost 0x49325:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7bf45:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xae965:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000007.00000002.463703676.0000000003F1F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.463703676.0000000003F1F000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4551d:$a: NanoCore 0x4552d:$a: NanoCore 0x45761:$a: NanoCore 0x45775:$a: NanoCore 0x457b5:$a: NanoCore 0x7813d:$a: NanoCore 0x7814d:$a: NanoCore 0x78381:$a: NanoCore 0x78395:$a: NanoCore 0x783d5:$a: NanoCore 0xaab5d:$a: NanoCore 0xaab6d:$a: NanoCore 0xaada1:$a: NanoCore 0xaadb5:$a: NanoCore 0xaadf5:$a: NanoCore 0x4557c:$b: ClientPlugin 0x4577e:$b: ClientPlugin 0x457be:$b: ClientPlugin 0x7819c:$b: ClientPlugin 0x7839e:$b: ClientPlugin 0x783de:$b: ClientPlugin
00000007.00000002.463703676.0000000003F1F000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x457b5:$a1: NanoCore.ClientPluginHost 0x783d5:$a1: NanoCore.ClientPluginHost 0xaadf5:$a1: NanoCore.ClientPluginHost 0x45775:$a2: NanoCore.ClientPlugin 0x78395:$a2: NanoCore.ClientPlugin 0xaadb5:$a2: NanoCore.ClientPlugin 0x476ce:$b1: get_BuilderSettings 0x7a2ee:$b1: get_BuilderSettings 0xacd0e:$b1: get_BuilderSettings 0x455d1:$b2: ClientLoaderForm.resources 0x781f1:$b2: ClientLoaderForm.resources 0xaac11:$b2: ClientLoaderForm.resources 0x46dee:$b3: PluginCommand 0x79a0e:$b3: PluginCommand 0xac42e:$b3: PluginCommand 0x457a6:$b4: IClientAppHost 0x783c6:$b4: IClientAppHost 0xaade6:$b4: IClientAppHost 0x4fc26:$b5: GetBlockHash 0x82846:$b5: GetBlockHash 0xb5266:$b5: GetBlockHash
00000007.00000002.454001802.0000000002AAF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.350708235.0000000002831000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: gNrfORqjCV.exe PID: 5240	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x2536a3:$x1: NanoCore.ClientPluginHost 0x2536e0:$x2: IClientNetworkHost 0x2571c8:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x262246:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x26e2c0:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x27967c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: gNrfORqjCV.exe PID: 5240	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: gNrfORqjCV.exe PID: 5240	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: gNrfORqjCV.exe PID: 5240	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x253370:$a: NanoCore 0x253380:$a: NanoCore 0x25343f:$a: NanoCore 0x25344e:$a: NanoCore 0x25364f:$a: NanoCore 0x253663:$a: NanoCore 0x2536a3:$a: NanoCore 0x25e8b0:$a: NanoCore 0x25e8c2:$a: NanoCore 0x25e8fe:$a: NanoCore 0x26a92a:$a: NanoCore 0x26a93c:$a: NanoCore 0x26a978:$a: NanoCore 0x275ce6:$a: NanoCore 0x275cf8:$a: NanoCore 0x275d34:$a: NanoCore 0x2533cf:$b: ClientPlugin 0x253498:$b: ClientPlugin 0x25366c:$b: ClientPlugin 0x2536ac:$b: ClientPlugin 0x25e8cb:$b: ClientPlugin
Process Memory Space: gNrfORqjCV.exe PID: 5240	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2536a3:$a1: NanoCore.ClientPluginHost 0x253663:$a2: NanoCore.ClientPlugin 0x255571:$b1: get_BuilderSettings 0x253424:$b2: ClientLoaderForm.resources 0x254c91:$b3: PluginCommand 0x253694:$b4: IClientAppHost 0x25dabc:$b5: GetBlockHash 0x255bc9:$b6: AddHostEntry 0x260ce0:$b6: AddHostEntry 0x26cd5a:$b6: AddHostEntry 0x278116:$b6: AddHostEntry 0x2598bc:$b7: LogClientException 0x264821:$b7: LogClientException 0x27089b:$b7: LogClientException 0x27bc57:$b7: LogClientException 0x255b36:$b8: PipeExists 0x260c54:$b8: PipeExists 0x26ccce:$b8: PipeExists 0x27808a:$b8: PipeExists 0x2536cd:$b9: IClientLoggingHost
Process Memory Space: GzGmImHFmOq.exe PID: 5000	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x3d74a:$x1: NanoCore.ClientPluginHost 0x3d787:$x2: IClientNetworkHost 0x4126f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4c2ed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x58367:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x63723:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: GzGmImHFmOq.exe PID: 5000	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: GzGmImHFmOq.exe PID: 5000	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: GzGmImHFmOq.exe PID: 5000	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3d417:$a: NanoCore 0x3d427:$a: NanoCore 0x3d4e6:$a: NanoCore 0x3d4f5:$a: NanoCore 0x3d6f6:$a: NanoCore 0x3d70a:$a: NanoCore 0x3d74a:$a: NanoCore 0x48957:$a: NanoCore 0x48969:$a: NanoCore 0x489a5:$a: NanoCore 0x549d1:$a: NanoCore 0x549e3:$a: NanoCore 0x54a1f:$a: NanoCore 0x5fd8d:$a: NanoCore 0x5fd9f:$a: NanoCore 0x5fddb:$a: NanoCore 0x3d476:$b: ClientPlugin 0x3d53f:$b: ClientPlugin 0x3d713:$b: ClientPlugin 0x3d753:$b: ClientPlugin 0x48972:$b: ClientPlugin
Process Memory Space: GzGmImHFmOq.exe PID: 5000	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3d74a:$a1: NanoCore.ClientPluginHost 0x3d70a:$a2: NanoCore.ClientPlugin 0x3f618:$b1: get_BuilderSettings 0x3d4cb:$b2: ClientLoaderForm.resources 0x3ed38:$b3: PluginCommand 0x3d73b:$b4: IClientAppHost 0x47b63:$b5: GetBlockHash 0x3fc70:$b6: AddHostEntry 0x4ad87:$b6: AddHostEntry 0x56e01:$b6: AddHostEntry 0x621bd:$b6: AddHostEntry 0x43963:$b7: LogClientException 0x4e8c8:$b7: LogClientException 0x5a942:$b7: LogClientException 0x65cfe:$b7: LogClientException 0x3fbdd:$b8: PipeExists 0x4acfb:$b8: PipeExists 0x56d75:$b8: PipeExists 0x62131:$b8: PipeExists 0x3d774:$b9: IClientLoggingHost
Process Memory Space: gNrfORqjCV.exe PID: 5320	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2f882:$a1: NanoCore.ClientPluginHost 0x2f845:$a2: NanoCore.ClientPlugin 0x2fbfc:$b1: get_BuilderSettings 0x2f8d0:$b4: IClientAppHost 0x2fc6d:$b6: AddHostEntry 0x2fcdc:$b7: LogClientException 0x2fc51:$b8: PipeExists 0x2f8bd:$b9: IClientLoggingHost
Process Memory Space: gNrfORqjCV.exe PID: 5248	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1278f:$x1: NanoCore.ClientPluginHost 0x127cc:$x2: IClientNetworkHost 0x162b4:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x21332:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2d3ac:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x38768:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: gNrfORqjCV.exe PID: 5248	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: gNrfORqjCV.exe PID: 5248	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1245c:$a: NanoCore 0x1246c:$a: NanoCore 0x1252b:$a: NanoCore 0x1253a:$a: NanoCore 0x1273b:$a: NanoCore 0x1274f:$a: NanoCore 0x1278f:$a: NanoCore 0x1d99c:$a: NanoCore 0x1d9ae:$a: NanoCore 0x1d9ea:$a: NanoCore 0x29a16:$a: NanoCore 0x29a28:$a: NanoCore 0x29a64:$a: NanoCore 0x34dd2:$a: NanoCore 0x34de4:$a: NanoCore 0x34e20:$a: NanoCore 0x124bb:$b: ClientPlugin 0x12584:$b: ClientPlugin 0x12758:$b: ClientPlugin 0x12798:$b: ClientPlugin 0x1d9b7:$b: ClientPlugin
Process Memory Space: gNrfORqjCV.exe PID: 5248	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1278f:$a1: NanoCore.ClientPluginHost 0x1274f:$a2: NanoCore.ClientPlugin 0x1465d:$b1: get_BuilderSettings 0x12510:$b2: ClientLoaderForm.resources 0x13d7d:$b3: PluginCommand 0x12780:$b4: IClientAppHost 0x1cba8:$b5: GetBlockHash 0x14cb5:$b6: AddHostEntry 0x1fdcc:$b6: AddHostEntry 0x2be46:$b6: AddHostEntry 0x37202:$b6: AddHostEntry 0x189a8:$b7: LogClientException 0x2390d:$b7: LogClientException 0x2f987:$b7: LogClientException 0x3ad43:$b7: LogClientException 0x14c22:$b8: PipeExists 0x1fd40:$b8: PipeExists 0x2bdba:$b8: PipeExists 0x37176:$b8: PipeExists 0x127b9:$b9: IClientLoggingHost
Process Memory Space: dhcpmon.exe PID: 4544	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: gNrfORqjCV.exe PID: 1324	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf30:$x1: NanoCore.ClientPluginHost 0x1a15d:$x1: NanoCore.ClientPluginHost 0x42fad:$x1: NanoCore.ClientPluginHost 0xf6d:$x2: IClientNetworkHost 0x1a177:$x2: IClientNetworkHost 0x42fc7:$x2: IClientNetworkHost 0x4a5e:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xfae4:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: gNrfORqjCV.exe PID: 1324	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: gNrfORqjCV.exe PID: 1324	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xbfd:$a: NanoCore 0xc0d:$a: NanoCore 0xccc:$a: NanoCore 0xcdb:$a: NanoCore 0xedc:$a: NanoCore 0xef0:$a: NanoCore 0xf30:$a: NanoCore 0xc14e:$a: NanoCore 0xc160:$a: NanoCore 0xc19c:$a: NanoCore 0x1a0c7:$a: NanoCore 0x1a120:$a: NanoCore 0x1a15d:$a: NanoCore 0x1a1d6:$a: NanoCore 0x1aa8f:$a: NanoCore 0x1aae2:$a: NanoCore 0x1ab1b:$a: NanoCore 0x1ab8e:$a: NanoCore 0x22160:$a: NanoCore 0x22173:$a: NanoCore 0x221a5:$a: NanoCore
Process Memory Space: gNrfORqjCV.exe PID: 1324	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf30:$a1: NanoCore.ClientPluginHost 0x1a15d:$a1: NanoCore.ClientPluginHost 0x42fad:$a1: NanoCore.ClientPluginHost 0xef0:$a2: NanoCore.ClientPlugin 0x1a120:$a2: NanoCore.ClientPlugin 0x42f70:$a2: NanoCore.ClientPlugin 0x2e07:$b1: get_BuilderSettings 0x1a4d7:$b1: get_BuilderSettings 0x3c6f5:$b1: get_BuilderSettings 0xcb1:$b2: ClientLoaderForm.resources 0x2527:$b3: PluginCommand 0xf21:$b4: IClientAppHost 0x1a1ab:$b4: IClientAppHost 0x42ffb:$b4: IClientAppHost 0xb35a:$b5: GetBlockHash 0x345f:$b6: AddHostEntry 0xe57e:$b6: AddHostEntry 0x1a548:$b6: AddHostEntry 0x4330e:$b6: AddHostEntry 0x7152:$b7: LogClientException 0x120bf:$b7: LogClientException
Process Memory Space: GzGmImHFmOq.exe PID: 5544	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: GzGmImHFmOq.exe PID: 5544	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x38c3:$a: NanoCore 0x391e:$a: NanoCore 0x3992:$a: NanoCore 0x18e79:$a: NanoCore 0x18ed2:$a: NanoCore 0x18f0f:$a: NanoCore 0x18f88:$a: NanoCore 0x19716:$a: NanoCore 0x19769:$a: NanoCore 0x197a2:$a: NanoCore 0x19815:$a: NanoCore 0x1a323:$a: NanoCore 0x141c9:$b: ClientPlugin 0x1420a:$b: ClientPlugin 0x18edb:$b: ClientPlugin 0x18f18:$b: ClientPlugin 0x196c6:$b: ClientPlugin 0x196d3:$b: ClientPlugin 0x19772:$b: ClientPlugin 0x197ab:$b: ClientPlugin 0x1a01a:$b: ClientPlugin
Process Memory Space: GzGmImHFmOq.exe PID: 5544	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x18f0f:$a1: NanoCore.ClientPluginHost 0x18ed2:$a2: NanoCore.ClientPlugin 0x12651:$b1: get_BuilderSettings 0x18f5d:$b4: IClientAppHost 0x19270:$b6: AddHostEntry 0x125c0:$b7: LogClientException 0x19254:$b8: PipeExists 0x18f4a:$b9: IClientLoggingHost
Click to see the 57 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
23.2.gNrfORqjCV.exe.398062c.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
23.2.gNrfORqjCV.exe.398062c.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
23.2.gNrfORqjCV.exe.398062c.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
23.2.gNrfORqjCV.exe.398062c.4.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
23.2.gNrfORqjCV.exe.398062c.4.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
8.2.gNrfORqjCV.exe.5a74629.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
8.2.gNrfORqjCV.exe.5a74629.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
8.2.gNrfORqjCV.exe.5a74629.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.gNrfORqjCV.exe.5a74629.5.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0xb165:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin 0xb158:$s1: ClientPlugin 0x10179:$s6: get_ClientSettings
8.2.gNrfORqjCV.exe.5a74629.5.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost
0.2.gNrfORqjCV.exe.3efe658.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.gNrfORqjCV.exe.3efe658.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.gNrfORqjCV.exe.3efe658.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.gNrfORqjCV.exe.3efe658.6.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.gNrfORqjCV.exe.3efe658.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.gNrfORqjCV.exe.3efe658.6.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
0.2.gNrfORqjCV.exe.29cf1b4.4.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.gNrfORqjCV.exe.29cf1b4.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x8016:$v1: SbieDll.dll 0x8030:$v2: USER 0x803c:$v3: SANDBOX 0x804e:$v4: VIRUS 0x809e:$v4: VIRUS 0x805c:$v5: MALWARE 0x806e:$v6: SCHMIDTI 0x8082:$v7: CURRENTUSER
7.2.GzGmImHFmOq.exe.3f1fc08.14.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x44bad:$x1: NanoCore.ClientPluginHost 0x777cd:$x1: NanoCore.ClientPluginHost 0xaa1ed:$x1: NanoCore.ClientPluginHost 0x44bea:$x2: IClientNetworkHost 0x7780a:$x2: IClientNetworkHost 0xaa22a:$x2: IClientNetworkHost 0x4871d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7b33d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xadd5d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.GzGmImHFmOq.exe.3f1fc08.14.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.GzGmImHFmOq.exe.3f1fc08.14.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x44915:$x1: NanoCore Client 0x44925:$x1: NanoCore Client 0x77535:$x1: NanoCore Client 0x77545:$x1: NanoCore Client 0xa9f55:$x1: NanoCore Client 0xa9f65:$x1: NanoCore Client 0x44b6d:$x2: NanoCore.ClientPlugin 0x7778d:$x2: NanoCore.ClientPlugin 0xaa1ad:$x2: NanoCore.ClientPlugin 0x44bad:$x3: NanoCore.ClientPluginHost 0x777cd:$x3: NanoCore.ClientPluginHost 0xaa1ed:$x3: NanoCore.ClientPluginHost 0x44b62:$i1: IClientApp 0x77782:$i1: IClientApp 0xaa1a2:$i1: IClientApp 0x44b83:$i2: IClientData 0x777a3:$i2: IClientData 0xaa1c3:$i2: IClientData 0x44b8f:$i3: IClientNetwork 0x777af:$i3: IClientNetwork 0xaa1cf:$i3: IClientNetwork
7.2.GzGmImHFmOq.exe.3f1fc08.14.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x44915:$a: NanoCore 0x44925:$a: NanoCore 0x44b59:$a: NanoCore 0x44b6d:$a: NanoCore 0x44bad:$a: NanoCore 0x77535:$a: NanoCore 0x77545:$a: NanoCore 0x77779:$a: NanoCore 0x7778d:$a: NanoCore 0x777cd:$a: NanoCore 0xa9f55:$a: NanoCore 0xa9f65:$a: NanoCore 0xaa199:$a: NanoCore 0xaa1ad:$a: NanoCore 0xaa1ed:$a: NanoCore 0x44974:$b: ClientPlugin 0x44b76:$b: ClientPlugin 0x44bb6:$b: ClientPlugin 0x77594:$b: ClientPlugin 0x77796:$b: ClientPlugin 0x777d6:$b: ClientPlugin
7.2.GzGmImHFmOq.exe.3f1fc08.14.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x44bad:$a1: NanoCore.ClientPluginHost 0x777cd:$a1: NanoCore.ClientPluginHost 0xaa1ed:$a1: NanoCore.ClientPluginHost 0x44b6d:$a2: NanoCore.ClientPlugin 0x7778d:$a2: NanoCore.ClientPlugin 0xaa1ad:$a2: NanoCore.ClientPlugin 0x46ac6:$b1: get_BuilderSettings 0x796e6:$b1: get_BuilderSettings 0xac106:$b1: get_BuilderSettings 0x449c9:$b2: ClientLoaderForm.resources 0x775e9:$b2: ClientLoaderForm.resources 0xaa009:$b2: ClientLoaderForm.resources 0x461e6:$b3: PluginCommand 0x78e06:$b3: PluginCommand 0xab826:$b3: PluginCommand 0x44b9e:$b4: IClientAppHost 0x777be:$b4: IClientAppHost 0xaa1de:$b4: IClientAppHost 0x4f01e:$b5: GetBlockHash 0x81c3e:$b5: GetBlockHash 0xb465e:$b5: GetBlockHash
14.2.gNrfORqjCV.exe.431b9b0.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.gNrfORqjCV.exe.431b9b0.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
14.2.gNrfORqjCV.exe.434e5d0.11.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.gNrfORqjCV.exe.434e5d0.11.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x42925:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x42bad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x441e6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x441da:$s2: FileCommand 0x1266b:$s3: PipeExists 0x4508b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ae42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x42bd7:$s5: IClientLoggingHost
14.2.gNrfORqjCV.exe.434e5d0.11.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.gNrfORqjCV.exe.434e5d0.11.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x42915:$x1: NanoCore Client 0x42925:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x42b6d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x42bad:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x42b62:$i1: IClientApp 0x10163:$i2: IClientData 0x42b83:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x42b8f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x42b9e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x42bc7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x42bd7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost
14.2.gNrfORqjCV.exe.434e5d0.11.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x434a2:$d: DESCrypto 0x1844e:$e: KeepAlive
14.2.gNrfORqjCV.exe.434e5d0.11.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x42bad:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x42b6d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0x44ac6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x429c9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x441e6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x42b9e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x4d01e:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x4511e:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x48e11:$b7: LogClientException 0x1266b:$b8: PipeExists 0x4508b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
14.2.gNrfORqjCV.exe.431b9b0.10.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.gNrfORqjCV.exe.431b9b0.10.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
14.2.gNrfORqjCV.exe.431b9b0.10.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
14.2.gNrfORqjCV.exe.431b9b0.10.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
28.2.GzGmImHFmOq.exe.31f9654.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
28.2.GzGmImHFmOq.exe.31f9654.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
28.2.GzGmImHFmOq.exe.31f9654.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
28.2.GzGmImHFmOq.exe.31f9654.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
23.2.gNrfORqjCV.exe.397b7f6.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5cf:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d5fc:$x2: IClientNetworkHost
23.2.gNrfORqjCV.exe.397b7f6.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5cf:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6aa:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d5e9:$s5: IClientLoggingHost
23.2.gNrfORqjCV.exe.397b7f6.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
23.2.gNrfORqjCV.exe.397b7f6.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x145ae:$x2: NanoCore.ClientPlugin 0x2d59a:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x145e3:$x3: NanoCore.ClientPluginHost 0x2d5cf:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0x145a2:$i2: IClientData 0x2d58e:$i2: IClientData 0xe29:$i3: IClientNetwork 0x145c4:$i3: IClientNetwork 0x2d5b0:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0x145d3:$i5: IClientDataHost 0x2d5bf:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0x145fd:$i6: IClientLoggingHost 0x2d5e9:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost
23.2.gNrfORqjCV.exe.397b7f6.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d585:$a: NanoCore 0x2d59a:$a: NanoCore 0x2d5cf:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d341:$b: ClientPlugin 0x2d35c:$b: ClientPlugin
23.2.gNrfORqjCV.exe.397b7f6.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0x145e3:$a1: NanoCore.ClientPluginHost 0x2d5cf:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x145ae:$a2: NanoCore.ClientPlugin 0x2d59a:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0x19529:$b1: get_BuilderSettings 0x32515:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x19498:$b7: LogClientException 0x32484:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost 0x145fd:$b9: IClientLoggingHost 0x2d5e9:$b9: IClientLoggingHost
23.2.gNrfORqjCV.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
23.2.gNrfORqjCV.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
23.2.gNrfORqjCV.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
23.2.gNrfORqjCV.exe.400000.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
23.2.gNrfORqjCV.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
23.2.gNrfORqjCV.exe.400000.0.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
0.2.gNrfORqjCV.exe.29ae42c.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.gNrfORqjCV.exe.29ae42c.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x28d9e:$v1: SbieDll.dll 0x28db8:$v2: USER 0x28dc4:$v3: SANDBOX 0x28dd6:$v4: VIRUS 0x28e26:$v4: VIRUS 0x28de4:$v5: MALWARE 0x28df6:$v6: SCHMIDTI 0x28e0a:$v7: CURRENTUSER
0.2.gNrfORqjCV.exe.3ecba38.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.gNrfORqjCV.exe.3ecba38.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.gNrfORqjCV.exe.3ecba38.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.gNrfORqjCV.exe.3ecba38.7.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.gNrfORqjCV.exe.3ecba38.7.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.gNrfORqjCV.exe.3ecba38.7.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
0.2.gNrfORqjCV.exe.3efe658.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.gNrfORqjCV.exe.3efe658.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x42925:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x42bad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x441e6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x441da:$s2: FileCommand 0x1266b:$s3: PipeExists 0x4508b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ae42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x42bd7:$s5: IClientLoggingHost
0.2.gNrfORqjCV.exe.3efe658.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.gNrfORqjCV.exe.3efe658.6.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x42915:$x1: NanoCore Client 0x42925:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x42b6d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x42bad:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x42b62:$i1: IClientApp 0x10163:$i2: IClientData 0x42b83:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x42b8f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x42b9e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x42bc7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x42bd7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost
0.2.gNrfORqjCV.exe.3efe658.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x434a2:$d: DESCrypto 0x1844e:$e: KeepAlive
0.2.gNrfORqjCV.exe.3efe658.6.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x42bad:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x42b6d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0x44ac6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x429c9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x441e6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x42b9e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x4d01e:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x4511e:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x48e11:$b7: LogClientException 0x1266b:$b8: PipeExists 0x4508b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
8.2.gNrfORqjCV.exe.305f274.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
8.2.gNrfORqjCV.exe.305f274.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
8.2.gNrfORqjCV.exe.305f274.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
8.2.gNrfORqjCV.exe.305f274.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
8.2.gNrfORqjCV.exe.5a70000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
8.2.gNrfORqjCV.exe.5a70000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
8.2.gNrfORqjCV.exe.5a70000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.gNrfORqjCV.exe.5a70000.4.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
8.2.gNrfORqjCV.exe.5a70000.4.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
8.2.gNrfORqjCV.exe.5a70000.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
8.2.gNrfORqjCV.exe.5a70000.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
8.2.gNrfORqjCV.exe.5a70000.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.gNrfORqjCV.exe.5a70000.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
8.2.gNrfORqjCV.exe.5a70000.4.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
23.2.gNrfORqjCV.exe.3984c55.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x1: NanoCore.ClientPluginHost 0x24170:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x2419d:$x2: IClientNetworkHost
23.2.gNrfORqjCV.exe.3984c55.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x2: NanoCore.ClientPluginHost 0x24170:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2524b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x2418a:$s5: IClientLoggingHost
23.2.gNrfORqjCV.exe.3984c55.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
23.2.gNrfORqjCV.exe.3984c55.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0x2413b:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0x24170:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0x2412f:$i2: IClientData 0xb165:$i3: IClientNetwork 0x24151:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0x24160:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0x2418a:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0x2419d:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0x241b0:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0x241be:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0x241da:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin
23.2.gNrfORqjCV.exe.3984c55.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0x24170:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x2413b:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x290b6:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0x29025:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost 0x2418a:$b9: IClientLoggingHost
7.2.GzGmImHFmOq.exe.3f54628.13.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.GzGmImHFmOq.exe.3f54628.13.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
7.2.GzGmImHFmOq.exe.3f54628.13.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.GzGmImHFmOq.exe.3f54628.13.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
7.2.GzGmImHFmOq.exe.3f54628.13.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
7.2.GzGmImHFmOq.exe.3f54628.13.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
7.2.GzGmImHFmOq.exe.3f87248.11.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.GzGmImHFmOq.exe.3f87248.11.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
7.2.GzGmImHFmOq.exe.3f87248.11.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.GzGmImHFmOq.exe.3f87248.11.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
7.2.GzGmImHFmOq.exe.3f87248.11.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
7.2.GzGmImHFmOq.exe.3f87248.11.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
7.2.GzGmImHFmOq.exe.3f87248.11.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.GzGmImHFmOq.exe.3f87248.11.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x42925:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x42bad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x441e6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x441da:$s2: FileCommand 0x1266b:$s3: PipeExists 0x4508b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ae42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x42bd7:$s5: IClientLoggingHost
7.2.GzGmImHFmOq.exe.3f87248.11.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.GzGmImHFmOq.exe.3f87248.11.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x42915:$x1: NanoCore Client 0x42925:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x42b6d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x42bad:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x42b62:$i1: IClientApp 0x10163:$i2: IClientData 0x42b83:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x42b8f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x42b9e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x42bc7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x42bd7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost
7.2.GzGmImHFmOq.exe.3f87248.11.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x434a2:$d: DESCrypto 0x1844e:$e: KeepAlive
7.2.GzGmImHFmOq.exe.3f87248.11.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x42bad:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x42b6d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0x44ac6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x429c9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x441e6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x42b9e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x4d01e:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x4511e:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x48e11:$b7: LogClientException 0x1266b:$b8: PipeExists 0x4508b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
8.2.gNrfORqjCV.exe.5810000.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
8.2.gNrfORqjCV.exe.5810000.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
8.2.gNrfORqjCV.exe.5810000.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
8.2.gNrfORqjCV.exe.5810000.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
14.2.gNrfORqjCV.exe.434e5d0.11.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.gNrfORqjCV.exe.434e5d0.11.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
14.2.gNrfORqjCV.exe.434e5d0.11.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.gNrfORqjCV.exe.434e5d0.11.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
14.2.gNrfORqjCV.exe.434e5d0.11.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
14.2.gNrfORqjCV.exe.434e5d0.11.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
23.2.gNrfORqjCV.exe.2999588.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
23.2.gNrfORqjCV.exe.2999588.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
23.2.gNrfORqjCV.exe.2999588.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
23.2.gNrfORqjCV.exe.2999588.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
23.2.gNrfORqjCV.exe.398062c.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28799:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287c6:$x2: IClientNetworkHost
23.2.gNrfORqjCV.exe.398062c.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28799:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29874:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287b3:$s5: IClientLoggingHost
23.2.gNrfORqjCV.exe.398062c.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
23.2.gNrfORqjCV.exe.398062c.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0x28764:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0x28799:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0x28758:$i2: IClientData 0xf78e:$i3: IClientNetwork 0x2877a:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0x28789:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0x287b3:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0x287c6:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0x287d9:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0x287e7:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0x28803:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin
23.2.gNrfORqjCV.exe.398062c.4.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0x28799:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x28764:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x2d6df:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0x2d64e:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost 0x287b3:$b9: IClientLoggingHost
0.2.gNrfORqjCV.exe.3ecba38.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x42dad:$x1: NanoCore.ClientPluginHost 0x757cd:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42dea:$x2: IClientNetworkHost 0x7580a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4691d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7933d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.gNrfORqjCV.exe.3ecba38.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.gNrfORqjCV.exe.3ecba38.7.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x42b15:$x1: NanoCore Client 0x42b25:$x1: NanoCore Client 0x75535:$x1: NanoCore Client 0x75545:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x42d6d:$x2: NanoCore.ClientPlugin 0x7578d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x42dad:$x3: NanoCore.ClientPluginHost 0x757cd:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x42d62:$i1: IClientApp 0x75782:$i1: IClientApp 0x10163:$i2: IClientData 0x42d83:$i2: IClientData 0x757a3:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x42d8f:$i3: IClientNetwork 0x757af:$i3: IClientNetwork
0.2.gNrfORqjCV.exe.3ecba38.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42b15:$a: NanoCore 0x42b25:$a: NanoCore 0x42d59:$a: NanoCore 0x42d6d:$a: NanoCore 0x42dad:$a: NanoCore 0x75535:$a: NanoCore 0x75545:$a: NanoCore 0x75779:$a: NanoCore 0x7578d:$a: NanoCore 0x757cd:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42b74:$b: ClientPlugin 0x42d76:$b: ClientPlugin 0x42db6:$b: ClientPlugin
0.2.gNrfORqjCV.exe.3ecba38.7.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x42dad:$a1: NanoCore.ClientPluginHost 0x757cd:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x42d6d:$a2: NanoCore.ClientPlugin 0x7578d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0x44cc6:$b1: get_BuilderSettings 0x776e6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x42bc9:$b2: ClientLoaderForm.resources 0x755e9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x443e6:$b3: PluginCommand 0x76e06:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x42d9e:$b4: IClientAppHost 0x757be:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x4d21e:$b5: GetBlockHash 0x7fc3e:$b5: GetBlockHash
7.2.GzGmImHFmOq.exe.3f54628.13.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x42dad:$x1: NanoCore.ClientPluginHost 0x757cd:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42dea:$x2: IClientNetworkHost 0x7580a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4691d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7933d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.GzGmImHFmOq.exe.3f54628.13.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.GzGmImHFmOq.exe.3f54628.13.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x42b15:$x1: NanoCore Client 0x42b25:$x1: NanoCore Client 0x75535:$x1: NanoCore Client 0x75545:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x42d6d:$x2: NanoCore.ClientPlugin 0x7578d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x42dad:$x3: NanoCore.ClientPluginHost 0x757cd:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x42d62:$i1: IClientApp 0x75782:$i1: IClientApp 0x10163:$i2: IClientData 0x42d83:$i2: IClientData 0x757a3:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x42d8f:$i3: IClientNetwork 0x757af:$i3: IClientNetwork
7.2.GzGmImHFmOq.exe.3f54628.13.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42b15:$a: NanoCore 0x42b25:$a: NanoCore 0x42d59:$a: NanoCore 0x42d6d:$a: NanoCore 0x42dad:$a: NanoCore 0x75535:$a: NanoCore 0x75545:$a: NanoCore 0x75779:$a: NanoCore 0x7578d:$a: NanoCore 0x757cd:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42b74:$b: ClientPlugin 0x42d76:$b: ClientPlugin 0x42db6:$b: ClientPlugin
7.2.GzGmImHFmOq.exe.3f54628.13.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x42dad:$a1: NanoCore.ClientPluginHost 0x757cd:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x42d6d:$a2: NanoCore.ClientPlugin 0x7578d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0x44cc6:$b1: get_BuilderSettings 0x776e6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x42bc9:$b2: ClientLoaderForm.resources 0x755e9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x443e6:$b3: PluginCommand 0x76e06:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x42d9e:$b4: IClientAppHost 0x757be:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x4d21e:$b5: GetBlockHash 0x7fc3e:$b5: GetBlockHash
14.2.gNrfORqjCV.exe.431b9b0.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x42dad:$x1: NanoCore.ClientPluginHost 0x757cd:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42dea:$x2: IClientNetworkHost 0x7580a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4691d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7933d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.gNrfORqjCV.exe.431b9b0.10.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.gNrfORqjCV.exe.431b9b0.10.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x42b15:$x1: NanoCore Client 0x42b25:$x1: NanoCore Client 0x75535:$x1: NanoCore Client 0x75545:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x42d6d:$x2: NanoCore.ClientPlugin 0x7578d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x42dad:$x3: NanoCore.ClientPluginHost 0x757cd:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x42d62:$i1: IClientApp 0x75782:$i1: IClientApp 0x10163:$i2: IClientData 0x42d83:$i2: IClientData 0x757a3:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x42d8f:$i3: IClientNetwork 0x757af:$i3: IClientNetwork
14.2.gNrfORqjCV.exe.431b9b0.10.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42b15:$a: NanoCore 0x42b25:$a: NanoCore 0x42d59:$a: NanoCore 0x42d6d:$a: NanoCore 0x42dad:$a: NanoCore 0x75535:$a: NanoCore 0x75545:$a: NanoCore 0x75779:$a: NanoCore 0x7578d:$a: NanoCore 0x757cd:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42b74:$b: ClientPlugin 0x42d76:$b: ClientPlugin 0x42db6:$b: ClientPlugin
14.2.gNrfORqjCV.exe.431b9b0.10.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x42dad:$a1: NanoCore.ClientPluginHost 0x757cd:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x42d6d:$a2: NanoCore.ClientPlugin 0x7578d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0x44cc6:$b1: get_BuilderSettings 0x776e6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x42bc9:$b2: ClientLoaderForm.resources 0x755e9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x443e6:$b3: PluginCommand 0x76e06:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x42d9e:$b4: IClientAppHost 0x757be:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x4d21e:$b5: GetBlockHash 0x7fc3e:$b5: GetBlockHash
15.2.dhcpmon.exe.2f69510.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
15.2.dhcpmon.exe.2f69510.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x1da37e:$v1: SbieDll.dll 0x1da398:$v2: USER 0x1da3a4:$v3: SANDBOX 0x1da3b6:$v4: VIRUS 0x1da406:$v4: VIRUS 0x1da3c4:$v5: MALWARE 0x1da3d6:$v6: SCHMIDTI 0x1da3ea:$v7: CURRENTUSER
15.2.dhcpmon.exe.2f664f8.0.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
15.2.dhcpmon.exe.2f664f8.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x1dd396:$v1: SbieDll.dll 0x1dd3b0:$v2: USER 0x1dd3bc:$v3: SANDBOX 0x1dd3ce:$v4: VIRUS 0x1dd41e:$v4: VIRUS 0x1dd3dc:$v5: MALWARE 0x1dd3ee:$v6: SCHMIDTI 0x1dd402:$v7: CURRENTUSER
15.2.dhcpmon.exe.2f67504.3.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
15.2.dhcpmon.exe.2f67504.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x1dc38a:$v1: SbieDll.dll 0x1dc3a4:$v2: USER 0x1dc3b0:$v3: SANDBOX 0x1dc3c2:$v4: VIRUS 0x1dc412:$v4: VIRUS 0x1dc3d0:$v5: MALWARE 0x1dc3e2:$v6: SCHMIDTI 0x1dc3f6:$v7: CURRENTUSER
Click to see the 137 entries

Sigma Signatures

AV Detection

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\gNrfORqjCV.exe, ProcessId: 5320, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\gNrfORqjCV.exe, ProcessId: 5320, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GzGmImHFmOq" /XML "C:\Users\user\AppData\Local\Temp\tmp78F4.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GzGmImHFmOq" /XML "C:\Users\user\AppData\Local\Temp\tmp78F4.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\gNrfORqjCV.exe, ParentImage: C:\Users\user\Desktop\gNrfORqjCV.exe, ParentProcessId: 5240, ParentProcessName: gNrfORqjCV.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GzGmImHFmOq" /XML "C:\Users\user\AppData\Local\Temp\tmp78F4.tmp, ProcessId: 5936, ProcessName: schtasks.exe

Stealing of Sensitive Information

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\gNrfORqjCV.exe, ProcessId: 5320, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Remote Access Functionality

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\gNrfORqjCV.exe, ProcessId: 5320, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: gNrfORqjCV.exe	ReversingLabs: Detection: 64%
Source: gNrfORqjCV.exe	Virustotal: Detection: 58%			Perma Link

Antivirus detection for URL or domain

Source: nonoise.duckdns.org

Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	ReversingLabs: Detection: 64%
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	ReversingLabs: Detection: 64%

Yara detected Nanocore RAT

Source: Yara match	File source: 23.2.gNrfORqjCV.exe.398062c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.gNrfORqjCV.exe.5a74629.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gNrfORqjCV.exe.3efe658.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.GzGmImHFmOq.exe.3f1fc08.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.gNrfORqjCV.exe.434e5d0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.gNrfORqjCV.exe.431b9b0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.gNrfORqjCV.exe.397b7f6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.gNrfORqjCV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gNrfORqjCV.exe.3ecba38.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gNrfORqjCV.exe.3efe658.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.gNrfORqjCV.exe.5a70000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.gNrfORqjCV.exe.5a70000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.gNrfORqjCV.exe.3984c55.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.GzGmImHFmOq.exe.3f54628.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.GzGmImHFmOq.exe.3f87248.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.GzGmImHFmOq.exe.3f87248.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.gNrfORqjCV.exe.434e5d0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.gNrfORqjCV.exe.398062c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gNrfORqjCV.exe.3ecba38.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.GzGmImHFmOq.exe.3f54628.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.gNrfORqjCV.exe.431b9b0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.436230882.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.574171475.0000000005A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.440525605.0000000003939000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.425767553.00000000042E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.356107386.0000000003E97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.439566387.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.476397038.0000000003191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.463703676.0000000003F1F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gNrfORqjCV.exe PID: 5240, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GzGmImHFmOq.exe PID: 5000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gNrfORqjCV.exe PID: 5248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gNrfORqjCV.exe PID: 1324, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GzGmImHFmOq.exe PID: 5544, type: MEMORYSTR

Machine Learning detection for sample

Source: gNrfORqjCV.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Joe Sandbox ML: detected

Source: 23.2.gNrfORqjCV.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 8.2.gNrfORqjCV.exe.5a70000.4.unpack	Avira: Label: TR/NanoCore.fadte

Source: 00000017.00000002.440525605.0000000003939000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "cb7cb109-a06b-4fd7-8d0e-5290e77d", "Group": "MOFASA", "Domain1": "nonoise.duckdns.org", "Domain2": "127.0.0.1", "Port": 6060, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "", "BackupDNSServer": "84.200.70.40", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Source: gNrfORqjCV.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: gNrfORqjCV.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Code function: 4x nop then jmp 07E27B45h
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Code function: 4x nop then jmp 07E27B45h
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Code function: 4x nop then jmp 078916F5h
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Code function: 4x nop then jmp 078916F5h

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: nonoise.duckdns.org
Source: Malware configuration extractor	URLs: 127.0.0.1

Uses dynamic DNS services

Source: unknown

DNS query: name: nonoise.duckdns.org

Source: Joe Sandbox View

ASN Name: DANILENKODE DANILENKODE

Source: Joe Sandbox View

IP Address: 194.5.98.24 194.5.98.24

Source: global traffic

TCP traffic: 192.168.2.5:49701 -> 194.5.98.24:6060

Source: unknown	UDP traffic detected without corresponding DNS query: 84.200.69.80
Source: unknown	UDP traffic detected without corresponding DNS query: 84.200.69.80
Source: unknown	UDP traffic detected without corresponding DNS query: 84.200.69.80
Source: unknown	UDP traffic detected without corresponding DNS query: 84.200.69.80
Source: unknown	UDP traffic detected without corresponding DNS query: 84.200.69.80
Source: unknown	UDP traffic detected without corresponding DNS query: 84.200.69.80
Source: unknown	UDP traffic detected without corresponding DNS query: 84.200.69.80
Source: unknown	UDP traffic detected without corresponding DNS query: 84.200.69.80
Source: unknown	UDP traffic detected without corresponding DNS query: 84.200.70.40
Source: unknown	UDP traffic detected without corresponding DNS query: 84.200.69.80
Source: unknown	UDP traffic detected without corresponding DNS query: 84.200.69.80
Source: unknown	UDP traffic detected without corresponding DNS query: 84.200.69.80
Source: unknown	UDP traffic detected without corresponding DNS query: 84.200.69.80
Source: unknown	UDP traffic detected without corresponding DNS query: 84.200.69.80
Source: unknown	UDP traffic detected without corresponding DNS query: 84.200.69.80
Source: unknown	UDP traffic detected without corresponding DNS query: 84.200.69.80
Source: unknown	UDP traffic detected without corresponding DNS query: 84.200.69.80
Source: unknown	UDP traffic detected without corresponding DNS query: 84.200.69.80
Source: unknown	UDP traffic detected without corresponding DNS query: 84.200.69.80
Source: unknown	UDP traffic detected without corresponding DNS query: 84.200.69.80

Source: gNrfORqjCV.exe, 00000000.00000003.296515775.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.296396139.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://en.w
Source: gNrfORqjCV.exe, 00000000.00000003.295899082.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.296138391.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.296240339.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.295949444.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.296360113.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.296039310.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.296275045.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.295980858.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.296109893.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.296305097.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: gNrfORqjCV.exe, 00000000.00000002.350708235.0000000002AAE000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.350708235.0000000002831000.00000004.00000800.00020000.00000000.sdmp, GzGmImHFmOq.exe, 00000007.00000002.454001802.0000000002AAF000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000008.00000002.561827065.0000000003059000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 0000000E.00000002.418053715.0000000003046000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: gNrfORqjCV.exe, 00000000.00000003.298516176.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: gNrfORqjCV.exe, 00000000.00000003.301383146.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301335862.00000000057E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: gNrfORqjCV.exe, 00000000.00000003.299600985.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299790040.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300055029.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300121923.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299908418.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: gNrfORqjCV.exe, 00000000.00000003.299416168.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299451966.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299359743.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298849689.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298912231.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299112643.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299189314.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com.T
Source: gNrfORqjCV.exe, 00000000.00000003.299416168.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299600985.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299790040.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299451966.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299359743.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299189314.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comC
Source: gNrfORqjCV.exe, 00000000.00000003.298730476.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298849689.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300055029.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300121923.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298912231.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299908418.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comTC
Source: gNrfORqjCV.exe, 00000000.00000003.299416168.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299600985.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299790040.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299451966.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300055029.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299908418.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comTCH
Source: gNrfORqjCV.exe, 00000000.00000003.299600985.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299451966.00000000057E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comTCk
Source: gNrfORqjCV.exe, 00000000.00000003.300055029.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299908418.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comTCp
Source: gNrfORqjCV.exe, 00000000.00000003.299790040.00000000057E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comde
Source: gNrfORqjCV.exe, 00000000.00000003.299112643.00000000057E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comego
Source: gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: gNrfORqjCV.exe, 00000000.00000003.299416168.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299600985.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299790040.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299451966.00000000057E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comlg
Source: gNrfORqjCV.exe, 00000000.00000003.299416168.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299600985.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299790040.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299451966.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299359743.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298849689.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300055029.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300121923.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298912231.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299112643.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299189314.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299908418.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.como.
Source: gNrfORqjCV.exe, 00000000.00000003.299416168.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299600985.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299790040.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299451966.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299359743.00000000057E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.como.p
Source: gNrfORqjCV.exe, 00000000.00000003.298730476.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298849689.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298912231.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299112643.00000000057E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coms0
Source: gNrfORqjCV.exe, 00000000.00000003.299416168.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299451966.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299359743.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299189314.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comsb
Source: gNrfORqjCV.exe, 00000000.00000003.306269906.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305929656.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305990317.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304720200.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305838770.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312305827.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305608628.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306376678.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305713164.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304937014.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303190287.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304656866.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305239978.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303341407.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304376908.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306223458.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306133463.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306459708.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304071114.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306044876.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303683488.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303960292.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312116348.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303851330.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304821209.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: gNrfORqjCV.exe, 00000000.00000003.303190287.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303341407.00000000057EB000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303190287.00000000057EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: gNrfORqjCV.exe, 00000000.00000003.304656866.00000000057F4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304586978.00000000057F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: gNrfORqjCV.exe, 00000000.00000003.305608628.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: gNrfORqjCV.exe, 00000000.00000003.304071114.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303960292.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304218382.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersF
Source: gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: gNrfORqjCV.exe, 00000000.00000003.303851330.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersR
Source: gNrfORqjCV.exe, 00000000.00000003.306044876.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersT
Source: gNrfORqjCV.exe, 00000000.00000003.304720200.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304937014.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304656866.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304821209.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersb
Source: gNrfORqjCV.exe, 00000000.00000003.303960292.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303851330.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designerse
Source: gNrfORqjCV.exe, 00000000.00000003.303341407.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersl
Source: gNrfORqjCV.exe, 00000000.00000003.312116348.00000000057E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersno
Source: gNrfORqjCV.exe, 00000000.00000003.305608628.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305713164.00000000057E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersp
Source: gNrfORqjCV.exe, 00000000.00000003.304071114.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303683488.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303960292.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303851330.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designerss
Source: gNrfORqjCV.exe, 00000000.00000003.306269906.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305929656.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305990317.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305838770.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306376678.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305713164.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306223458.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306133463.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306459708.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306044876.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306515905.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305767077.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comB.TTF
Source: gNrfORqjCV.exe, 00000000.00000003.306269906.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306376678.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306223458.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306133463.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306459708.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306044876.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comFH
Source: gNrfORqjCV.exe, 00000000.00000003.304720200.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304937014.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304656866.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305239978.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305277458.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305453770.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305332327.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305058105.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304821209.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305393745.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comFu
Source: gNrfORqjCV.exe, 00000000.00000003.303190287.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303341407.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comalicS
Source: gNrfORqjCV.exe, 00000000.00000003.306269906.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306376678.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306223458.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306133463.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306459708.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306044876.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306515905.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comalsFu
Source: gNrfORqjCV.exe, 00000000.00000003.305608628.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305713164.00000000057E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comalso
Source: gNrfORqjCV.exe, 00000000.00000003.306269906.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305990317.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306376678.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306223458.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306133463.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306459708.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306044876.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comcom
Source: gNrfORqjCV.exe, 00000000.00000003.304586978.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comcomd
Source: gNrfORqjCV.exe, 00000000.00000003.304376908.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304071114.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303960292.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304218382.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304481831.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303851330.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comd
Source: gNrfORqjCV.exe, 00000000.00000003.306269906.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305929656.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305990317.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305838770.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306376678.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305713164.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306618063.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306223458.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306133463.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306459708.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306044876.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306685172.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306515905.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305767077.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comd$
Source: gNrfORqjCV.exe, 00000000.00000003.304376908.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304071114.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303683488.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303960292.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304218382.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304481831.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303851330.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comdy
Source: gNrfORqjCV.exe, 00000000.00000003.304376908.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304071114.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303960292.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304218382.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304586978.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304481831.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303851330.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comessed
Source: gNrfORqjCV.exe, 00000000.00000003.304720200.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304656866.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304821209.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comessedQ
Source: gNrfORqjCV.exe, 00000000.00000003.312305827.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312042266.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312179725.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312571385.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312116348.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.377294989.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312473392.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comf
Source: gNrfORqjCV.exe, 00000000.00000003.312305827.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312042266.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312179725.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312571385.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312116348.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.377294989.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312473392.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comion
Source: gNrfORqjCV.exe, 00000000.00000003.305453770.00000000057E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comony
Source: gNrfORqjCV.exe, 00000000.00000003.312305827.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312179725.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312571385.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312116348.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.377294989.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312473392.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comuevo
Source: gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: gNrfORqjCV.exe, 00000000.00000003.298175941.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298516176.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298672055.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298849689.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300055029.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300121923.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298912231.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299112643.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299189314.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298027129.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298051431.00000000057E0000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299908418.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: gNrfORqjCV.exe, 00000000.00000003.297575248.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: gNrfORqjCV.exe, 00000000.00000003.298397850.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298272672.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298235609.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298328560.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298175941.00000000057DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/de
Source: gNrfORqjCV.exe, 00000000.00000003.297957541.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298027129.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cna-e
Source: gNrfORqjCV.exe, 00000000.00000003.298397850.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298272672.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298235609.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298328560.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298175941.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298051431.00000000057E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnani
Source: gNrfORqjCV.exe, 00000000.00000003.299416168.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298397850.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298730476.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299600985.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299790040.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299451966.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298272672.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298235609.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299359743.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298448695.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298328560.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298175941.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298516176.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298672055.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298849689.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298912231.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299112643.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299189314.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299908418.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnicr
Source: gNrfORqjCV.exe, 00000000.00000003.298051431.00000000057E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnno
Source: gNrfORqjCV.exe, 00000000.00000003.298397850.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298272672.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298235609.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298328560.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298175941.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298051431.00000000057E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cntra
Source: gNrfORqjCV.exe, 00000000.00000003.307562749.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: gNrfORqjCV.exe, 00000000.00000003.307562749.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/Z
Source: gNrfORqjCV.exe, 00000000.00000003.307562749.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/n
Source: gNrfORqjCV.exe, 00000000.00000003.307784164.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: gNrfORqjCV.exe, 00000000.00000003.297685163.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.297575248.00000000057E1000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.297537163.00000000057E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: gNrfORqjCV.exe, 00000000.00000003.301545636.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: gNrfORqjCV.exe, 00000000.00000003.300843664.00000000057E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/-
Source: gNrfORqjCV.exe, 00000000.00000003.300916137.00000000057DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/:
Source: gNrfORqjCV.exe, 00000000.00000003.301848813.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301275522.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301817563.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301964183.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301489951.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301383146.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300916137.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300843664.00000000057E0000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301753239.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301721274.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301610181.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.302024144.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301642038.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301335862.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301052807.00000000057E1000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.302116093.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301545636.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301786090.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/C
Source: gNrfORqjCV.exe, 00000000.00000003.300626397.00000000057DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/H
Source: gNrfORqjCV.exe, 00000000.00000003.300916137.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300843664.00000000057E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/u
Source: gNrfORqjCV.exe, 00000000.00000003.300626397.00000000057DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/g
Source: gNrfORqjCV.exe, 00000000.00000003.300916137.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300843664.00000000057E0000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301610181.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301642038.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301335862.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301052807.00000000057E1000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301545636.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: gNrfORqjCV.exe, 00000000.00000003.301848813.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301275522.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301817563.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301964183.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301489951.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301383146.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300916137.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301753239.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301721274.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301610181.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301642038.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301335862.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301052807.00000000057E1000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301545636.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301786090.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/-
Source: gNrfORqjCV.exe, 00000000.00000003.301275522.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301489951.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301383146.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301610181.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301642038.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301335862.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301052807.00000000057E1000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301545636.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/:
Source: gNrfORqjCV.exe, 00000000.00000003.300916137.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300843664.00000000057E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/H
Source: gNrfORqjCV.exe, 00000000.00000003.300916137.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300843664.00000000057E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/g
Source: gNrfORqjCV.exe, 00000000.00000003.300626397.00000000057DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/u
Source: gNrfORqjCV.exe, 00000000.00000003.300916137.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300843664.00000000057E0000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300626397.00000000057DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/kurs
Source: gNrfORqjCV.exe, 00000000.00000003.301275522.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300916137.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300843664.00000000057E0000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300626397.00000000057DC000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301335862.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301052807.00000000057E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/t
Source: gNrfORqjCV.exe, 00000000.00000003.301275522.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301335862.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301052807.00000000057E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/t-i
Source: gNrfORqjCV.exe, 00000000.00000003.301275522.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301335862.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301052807.00000000057E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/u
Source: gNrfORqjCV.exe, 00000000.00000003.301275522.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301489951.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301383146.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300916137.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300843664.00000000057E0000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301610181.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301642038.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301335862.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301052807.00000000057E1000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301545636.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/~
Source: gNrfORqjCV.exe, 00000000.00000003.294783811.00000000057C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: gNrfORqjCV.exe, 00000000.00000003.294783811.00000000057C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.come
Source: gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: gNrfORqjCV.exe, 00000000.00000003.297685163.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.297489904.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.297575248.00000000057E1000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.297537163.00000000057E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: gNrfORqjCV.exe, 00000000.00000003.297489904.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.297537163.00000000057E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.krX
Source: gNrfORqjCV.exe, 00000000.00000003.297489904.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kra-d
Source: gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: gNrfORqjCV.exe, 00000000.00000003.299416168.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298730476.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299600985.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299790040.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299451966.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299359743.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298672055.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298849689.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298912231.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299112643.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299189314.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: gNrfORqjCV.exe, 00000000.00000003.298730476.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298672055.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298849689.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298912231.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299112643.00000000057E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnde
Source: gNrfORqjCV.exe, 00000000.00000003.299416168.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298730476.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299600985.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299790040.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299451966.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299359743.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298672055.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298849689.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298912231.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299112643.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299189314.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cni
Source: gNrfORqjCV.exe, 00000000.00000003.298730476.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299359743.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298672055.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298849689.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298912231.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299112643.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299189314.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnlg
Source: gNrfORqjCV.exe, 00000000.00000003.299416168.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298730476.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299600985.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299790040.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299451966.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299359743.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298672055.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298849689.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298912231.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299112643.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299189314.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cno.

Source: unknown

DNS traffic detected: queries for: nonoise.duckdns.org

Source: gNrfORqjCV.exe, 00000017.00000002.440525605.0000000003939000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 23.2.gNrfORqjCV.exe.398062c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.gNrfORqjCV.exe.5a74629.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gNrfORqjCV.exe.3efe658.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.GzGmImHFmOq.exe.3f1fc08.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.gNrfORqjCV.exe.434e5d0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.gNrfORqjCV.exe.431b9b0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.gNrfORqjCV.exe.397b7f6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.gNrfORqjCV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gNrfORqjCV.exe.3ecba38.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gNrfORqjCV.exe.3efe658.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.gNrfORqjCV.exe.5a70000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.gNrfORqjCV.exe.5a70000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.gNrfORqjCV.exe.3984c55.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.GzGmImHFmOq.exe.3f54628.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.GzGmImHFmOq.exe.3f87248.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.GzGmImHFmOq.exe.3f87248.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.gNrfORqjCV.exe.434e5d0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.gNrfORqjCV.exe.398062c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gNrfORqjCV.exe.3ecba38.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.GzGmImHFmOq.exe.3f54628.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.gNrfORqjCV.exe.431b9b0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.436230882.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.574171475.0000000005A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.440525605.0000000003939000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.425767553.00000000042E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.356107386.0000000003E97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.439566387.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.476397038.0000000003191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.463703676.0000000003F1F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gNrfORqjCV.exe PID: 5240, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GzGmImHFmOq.exe PID: 5000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gNrfORqjCV.exe PID: 5248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gNrfORqjCV.exe PID: 1324, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GzGmImHFmOq.exe PID: 5544, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 23.2.gNrfORqjCV.exe.398062c.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 23.2.gNrfORqjCV.exe.398062c.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 23.2.gNrfORqjCV.exe.398062c.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 8.2.gNrfORqjCV.exe.5a74629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 8.2.gNrfORqjCV.exe.5a74629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 8.2.gNrfORqjCV.exe.5a74629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.gNrfORqjCV.exe.3efe658.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.gNrfORqjCV.exe.3efe658.6.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.gNrfORqjCV.exe.3efe658.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.gNrfORqjCV.exe.3efe658.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.gNrfORqjCV.exe.29cf1b4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 7.2.GzGmImHFmOq.exe.3f1fc08.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 7.2.GzGmImHFmOq.exe.3f1fc08.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.2.GzGmImHFmOq.exe.3f1fc08.14.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.GzGmImHFmOq.exe.3f1fc08.14.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 14.2.gNrfORqjCV.exe.431b9b0.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 14.2.gNrfORqjCV.exe.434e5d0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 14.2.gNrfORqjCV.exe.434e5d0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.gNrfORqjCV.exe.434e5d0.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.gNrfORqjCV.exe.434e5d0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 14.2.gNrfORqjCV.exe.431b9b0.10.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.gNrfORqjCV.exe.431b9b0.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.gNrfORqjCV.exe.431b9b0.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 28.2.GzGmImHFmOq.exe.31f9654.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 28.2.GzGmImHFmOq.exe.31f9654.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 28.2.GzGmImHFmOq.exe.31f9654.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 23.2.gNrfORqjCV.exe.397b7f6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 23.2.gNrfORqjCV.exe.397b7f6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 23.2.gNrfORqjCV.exe.397b7f6.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.2.gNrfORqjCV.exe.397b7f6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 23.2.gNrfORqjCV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 23.2.gNrfORqjCV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 23.2.gNrfORqjCV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.2.gNrfORqjCV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.gNrfORqjCV.exe.29ae42c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.gNrfORqjCV.exe.3ecba38.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.gNrfORqjCV.exe.3ecba38.7.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.gNrfORqjCV.exe.3ecba38.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.gNrfORqjCV.exe.3ecba38.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.gNrfORqjCV.exe.3efe658.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.gNrfORqjCV.exe.3efe658.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.gNrfORqjCV.exe.3efe658.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.gNrfORqjCV.exe.3efe658.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 8.2.gNrfORqjCV.exe.305f274.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 8.2.gNrfORqjCV.exe.305f274.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 8.2.gNrfORqjCV.exe.305f274.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 8.2.gNrfORqjCV.exe.5a70000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 8.2.gNrfORqjCV.exe.5a70000.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 8.2.gNrfORqjCV.exe.5a70000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 8.2.gNrfORqjCV.exe.5a70000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 8.2.gNrfORqjCV.exe.5a70000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 8.2.gNrfORqjCV.exe.5a70000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 23.2.gNrfORqjCV.exe.3984c55.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 23.2.gNrfORqjCV.exe.3984c55.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 23.2.gNrfORqjCV.exe.3984c55.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.2.GzGmImHFmOq.exe.3f54628.13.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 7.2.GzGmImHFmOq.exe.3f54628.13.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.2.GzGmImHFmOq.exe.3f54628.13.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.GzGmImHFmOq.exe.3f54628.13.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.2.GzGmImHFmOq.exe.3f87248.11.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 7.2.GzGmImHFmOq.exe.3f87248.11.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.2.GzGmImHFmOq.exe.3f87248.11.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.GzGmImHFmOq.exe.3f87248.11.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.2.GzGmImHFmOq.exe.3f87248.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 7.2.GzGmImHFmOq.exe.3f87248.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.2.GzGmImHFmOq.exe.3f87248.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.GzGmImHFmOq.exe.3f87248.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 8.2.gNrfORqjCV.exe.5810000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 8.2.gNrfORqjCV.exe.5810000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 8.2.gNrfORqjCV.exe.5810000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 14.2.gNrfORqjCV.exe.434e5d0.11.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 14.2.gNrfORqjCV.exe.434e5d0.11.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.gNrfORqjCV.exe.434e5d0.11.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.gNrfORqjCV.exe.434e5d0.11.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 23.2.gNrfORqjCV.exe.2999588.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 23.2.gNrfORqjCV.exe.2999588.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 23.2.gNrfORqjCV.exe.2999588.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 23.2.gNrfORqjCV.exe.398062c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 23.2.gNrfORqjCV.exe.398062c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 23.2.gNrfORqjCV.exe.398062c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.gNrfORqjCV.exe.3ecba38.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.gNrfORqjCV.exe.3ecba38.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.gNrfORqjCV.exe.3ecba38.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.gNrfORqjCV.exe.3ecba38.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.2.GzGmImHFmOq.exe.3f54628.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 7.2.GzGmImHFmOq.exe.3f54628.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.2.GzGmImHFmOq.exe.3f54628.13.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.GzGmImHFmOq.exe.3f54628.13.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 14.2.gNrfORqjCV.exe.431b9b0.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 14.2.gNrfORqjCV.exe.431b9b0.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.gNrfORqjCV.exe.431b9b0.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.gNrfORqjCV.exe.431b9b0.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 15.2.dhcpmon.exe.2f69510.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 15.2.dhcpmon.exe.2f664f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 15.2.dhcpmon.exe.2f67504.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 00000017.00000002.436230882.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000017.00000002.436230882.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000017.00000002.436230882.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000008.00000002.571677772.0000000005810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000008.00000002.571677772.0000000005810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000008.00000002.571677772.0000000005810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000008.00000002.574171475.0000000005A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000008.00000002.574171475.0000000005A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000008.00000002.574171475.0000000005A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000017.00000002.440525605.0000000003939000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000017.00000002.440525605.0000000003939000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000E.00000002.425767553.00000000042E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000E.00000002.425767553.00000000042E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.425767553.00000000042E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000008.00000002.561827065.0000000003059000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.356107386.0000000003E97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000000.00000002.356107386.0000000003E97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.356107386.0000000003E97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000017.00000002.439566387.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000017.00000002.439566387.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000001C.00000002.476397038.0000000003191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000002.476397038.0000000003191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000007.00000002.463703676.0000000003F1F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000007.00000002.463703676.0000000003F1F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.463703676.0000000003F1F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: gNrfORqjCV.exe PID: 5240, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: gNrfORqjCV.exe PID: 5240, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: gNrfORqjCV.exe PID: 5240, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: GzGmImHFmOq.exe PID: 5000, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: GzGmImHFmOq.exe PID: 5000, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: GzGmImHFmOq.exe PID: 5000, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: gNrfORqjCV.exe PID: 5320, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: gNrfORqjCV.exe PID: 5248, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: gNrfORqjCV.exe PID: 5248, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: gNrfORqjCV.exe PID: 5248, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: gNrfORqjCV.exe PID: 1324, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: gNrfORqjCV.exe PID: 1324, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: gNrfORqjCV.exe PID: 1324, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: GzGmImHFmOq.exe PID: 5544, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: GzGmImHFmOq.exe PID: 5544, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown

Source: gNrfORqjCV.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 23.2.gNrfORqjCV.exe.398062c.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.2.gNrfORqjCV.exe.398062c.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.2.gNrfORqjCV.exe.398062c.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 23.2.gNrfORqjCV.exe.398062c.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 8.2.gNrfORqjCV.exe.5a74629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.gNrfORqjCV.exe.5a74629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.gNrfORqjCV.exe.5a74629.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 8.2.gNrfORqjCV.exe.5a74629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.gNrfORqjCV.exe.3efe658.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.gNrfORqjCV.exe.3efe658.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.gNrfORqjCV.exe.3efe658.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.gNrfORqjCV.exe.3efe658.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.gNrfORqjCV.exe.3efe658.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.gNrfORqjCV.exe.29cf1b4.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 7.2.GzGmImHFmOq.exe.3f1fc08.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.GzGmImHFmOq.exe.3f1fc08.14.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.2.GzGmImHFmOq.exe.3f1fc08.14.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.GzGmImHFmOq.exe.3f1fc08.14.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 14.2.gNrfORqjCV.exe.431b9b0.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.gNrfORqjCV.exe.431b9b0.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.gNrfORqjCV.exe.434e5d0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.gNrfORqjCV.exe.434e5d0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.gNrfORqjCV.exe.434e5d0.11.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.gNrfORqjCV.exe.434e5d0.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.gNrfORqjCV.exe.434e5d0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 14.2.gNrfORqjCV.exe.431b9b0.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.gNrfORqjCV.exe.431b9b0.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.gNrfORqjCV.exe.431b9b0.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 28.2.GzGmImHFmOq.exe.31f9654.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 28.2.GzGmImHFmOq.exe.31f9654.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 28.2.GzGmImHFmOq.exe.31f9654.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 28.2.GzGmImHFmOq.exe.31f9654.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 23.2.gNrfORqjCV.exe.397b7f6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.2.gNrfORqjCV.exe.397b7f6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.2.gNrfORqjCV.exe.397b7f6.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 23.2.gNrfORqjCV.exe.397b7f6.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 23.2.gNrfORqjCV.exe.397b7f6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 23.2.gNrfORqjCV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.2.gNrfORqjCV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.2.gNrfORqjCV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 23.2.gNrfORqjCV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 23.2.gNrfORqjCV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.gNrfORqjCV.exe.29ae42c.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.gNrfORqjCV.exe.3ecba38.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.gNrfORqjCV.exe.3ecba38.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.gNrfORqjCV.exe.3ecba38.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.gNrfORqjCV.exe.3ecba38.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.gNrfORqjCV.exe.3ecba38.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.gNrfORqjCV.exe.3efe658.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.gNrfORqjCV.exe.3efe658.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.gNrfORqjCV.exe.3efe658.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.gNrfORqjCV.exe.3efe658.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.gNrfORqjCV.exe.3efe658.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 8.2.gNrfORqjCV.exe.305f274.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.gNrfORqjCV.exe.305f274.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.gNrfORqjCV.exe.305f274.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 8.2.gNrfORqjCV.exe.305f274.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 8.2.gNrfORqjCV.exe.5a70000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.gNrfORqjCV.exe.5a70000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.gNrfORqjCV.exe.5a70000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 8.2.gNrfORqjCV.exe.5a70000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 8.2.gNrfORqjCV.exe.5a70000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.gNrfORqjCV.exe.5a70000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.gNrfORqjCV.exe.5a70000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 8.2.gNrfORqjCV.exe.5a70000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 23.2.gNrfORqjCV.exe.3984c55.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.2.gNrfORqjCV.exe.3984c55.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.2.gNrfORqjCV.exe.3984c55.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 23.2.gNrfORqjCV.exe.3984c55.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.2.GzGmImHFmOq.exe.3f54628.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.GzGmImHFmOq.exe.3f54628.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.GzGmImHFmOq.exe.3f54628.13.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.2.GzGmImHFmOq.exe.3f54628.13.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.GzGmImHFmOq.exe.3f54628.13.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.2.GzGmImHFmOq.exe.3f87248.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.GzGmImHFmOq.exe.3f87248.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.GzGmImHFmOq.exe.3f87248.11.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.2.GzGmImHFmOq.exe.3f87248.11.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.GzGmImHFmOq.exe.3f87248.11.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.2.GzGmImHFmOq.exe.3f87248.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.GzGmImHFmOq.exe.3f87248.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.GzGmImHFmOq.exe.3f87248.11.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.2.GzGmImHFmOq.exe.3f87248.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.GzGmImHFmOq.exe.3f87248.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 8.2.gNrfORqjCV.exe.5810000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.gNrfORqjCV.exe.5810000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.gNrfORqjCV.exe.5810000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 8.2.gNrfORqjCV.exe.5810000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 14.2.gNrfORqjCV.exe.434e5d0.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.gNrfORqjCV.exe.434e5d0.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.gNrfORqjCV.exe.434e5d0.11.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.gNrfORqjCV.exe.434e5d0.11.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.gNrfORqjCV.exe.434e5d0.11.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 23.2.gNrfORqjCV.exe.2999588.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.2.gNrfORqjCV.exe.2999588.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.2.gNrfORqjCV.exe.2999588.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 23.2.gNrfORqjCV.exe.2999588.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 23.2.gNrfORqjCV.exe.398062c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.2.gNrfORqjCV.exe.398062c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.2.gNrfORqjCV.exe.398062c.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 23.2.gNrfORqjCV.exe.398062c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.gNrfORqjCV.exe.3ecba38.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.gNrfORqjCV.exe.3ecba38.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.gNrfORqjCV.exe.3ecba38.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.gNrfORqjCV.exe.3ecba38.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.2.GzGmImHFmOq.exe.3f54628.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.GzGmImHFmOq.exe.3f54628.13.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.2.GzGmImHFmOq.exe.3f54628.13.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.GzGmImHFmOq.exe.3f54628.13.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 14.2.gNrfORqjCV.exe.431b9b0.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.gNrfORqjCV.exe.431b9b0.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.gNrfORqjCV.exe.431b9b0.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.gNrfORqjCV.exe.431b9b0.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 15.2.dhcpmon.exe.2f69510.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 15.2.dhcpmon.exe.2f664f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 15.2.dhcpmon.exe.2f67504.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 00000017.00000002.436230882.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000017.00000002.436230882.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000017.00000002.436230882.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000008.00000002.571677772.0000000005810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000008.00000002.571677772.0000000005810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000008.00000002.571677772.0000000005810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000008.00000002.571677772.0000000005810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000008.00000002.574171475.0000000005A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000008.00000002.574171475.0000000005A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000008.00000002.574171475.0000000005A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000008.00000002.574171475.0000000005A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000017.00000002.440525605.0000000003939000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000017.00000002.440525605.0000000003939000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000E.00000002.425767553.00000000042E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000E.00000002.425767553.00000000042E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.425767553.00000000042E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000008.00000002.561827065.0000000003059000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.356107386.0000000003E97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.356107386.0000000003E97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.356107386.0000000003E97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000017.00000002.439566387.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000017.00000002.439566387.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000001C.00000002.476397038.0000000003191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001C.00000002.476397038.0000000003191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000007.00000002.463703676.0000000003F1F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000002.463703676.0000000003F1F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.463703676.0000000003F1F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: gNrfORqjCV.exe PID: 5240, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: gNrfORqjCV.exe PID: 5240, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: gNrfORqjCV.exe PID: 5240, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: GzGmImHFmOq.exe PID: 5000, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: GzGmImHFmOq.exe PID: 5000, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: GzGmImHFmOq.exe PID: 5000, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: gNrfORqjCV.exe PID: 5320, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: gNrfORqjCV.exe PID: 5248, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: gNrfORqjCV.exe PID: 5248, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: gNrfORqjCV.exe PID: 5248, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: gNrfORqjCV.exe PID: 1324, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: gNrfORqjCV.exe PID: 1324, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: gNrfORqjCV.exe PID: 1324, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: GzGmImHFmOq.exe PID: 5544, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: GzGmImHFmOq.exe PID: 5544, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Code function: 0_2_0265C214
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Code function: 0_2_0265E648
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Code function: 0_2_0265E658
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Code function: 0_2_07E2273C
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Code function: 0_2_07E20040
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Code function: 0_2_07E20007
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Code function: 7_2_0286C214
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Code function: 7_2_0286E648
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Code function: 7_2_0286E658
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Code function: 7_2_053B0006
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Code function: 7_2_053B5041
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Code function: 7_2_053B0040
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Code function: 7_2_053B9B28
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Code function: 7_2_053B02E0
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Code function: 7_2_053B02D1
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Code function: 8_2_02EEE480
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Code function: 8_2_02EEE471
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Code function: 8_2_02EEBBD4
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Code function: 8_2_06C10040

Source: gNrfORqjCV.exe	Binary or memory string: OriginalFilename vs gNrfORqjCV.exe
Source: gNrfORqjCV.exe, 00000000.00000002.381347692.0000000007040000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs gNrfORqjCV.exe
Source: gNrfORqjCV.exe, 00000000.00000003.318367958.0000000007201000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameoWRc.exe> vs gNrfORqjCV.exe
Source: gNrfORqjCV.exe, 00000000.00000002.356107386.0000000003B35000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs gNrfORqjCV.exe
Source: gNrfORqjCV.exe, 00000000.00000002.350708235.0000000002831000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTigra.dll. vs gNrfORqjCV.exe
Source: gNrfORqjCV.exe, 00000000.00000000.292278061.0000000000432000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameoWRc.exe> vs gNrfORqjCV.exe
Source: gNrfORqjCV.exe, 00000008.00000002.568193972.0000000004081000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs gNrfORqjCV.exe
Source: gNrfORqjCV.exe, 00000008.00000002.561827065.0000000003059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs gNrfORqjCV.exe
Source: gNrfORqjCV.exe, 0000000E.00000002.425767553.0000000004195000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs gNrfORqjCV.exe
Source: gNrfORqjCV.exe, 0000000E.00000002.418053715.0000000002DFE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTigra.dll. vs gNrfORqjCV.exe
Source: gNrfORqjCV.exe, 0000000E.00000002.425767553.0000000004203000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs gNrfORqjCV.exe
Source: gNrfORqjCV.exe, 00000017.00000002.440525605.0000000003939000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs gNrfORqjCV.exe
Source: gNrfORqjCV.exe, 00000017.00000002.440525605.0000000003939000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs gNrfORqjCV.exe
Source: gNrfORqjCV.exe, 00000017.00000002.440525605.0000000003939000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs gNrfORqjCV.exe
Source: gNrfORqjCV.exe, 00000017.00000002.439566387.0000000002931000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs gNrfORqjCV.exe
Source: gNrfORqjCV.exe, 00000017.00000002.439566387.0000000002931000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs gNrfORqjCV.exe
Source: gNrfORqjCV.exe	Binary or memory string: OriginalFilenameoWRc.exe> vs gNrfORqjCV.exe

Source: gNrfORqjCV.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: GzGmImHFmOq.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: dhcpmon.exe.8.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: gNrfORqjCV.exe	ReversingLabs: Detection: 64%
Source: gNrfORqjCV.exe	Virustotal: Detection: 58%

Source: C:\Users\user\Desktop\gNrfORqjCV.exe

File read: C:\Users\user\Desktop\gNrfORqjCV.exe

Jump to behavior

Source: gNrfORqjCV.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\gNrfORqjCV.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\gNrfORqjCV.exe C:\Users\user\Desktop\gNrfORqjCV.exe
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\gNrfORqjCV.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GzGmImHFmOq" /XML "C:\Users\user\AppData\Local\Temp\tmp78F4.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Users\user\Desktop\gNrfORqjCV.exe C:\Users\user\Desktop\gNrfORqjCV.exe
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp2556.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp27D7.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\gNrfORqjCV.exe C:\Users\user\Desktop\gNrfORqjCV.exe 0
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\gNrfORqjCV.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GzGmImHFmOq" /XML "C:\Users\user\AppData\Local\Temp\tmpEAF8.tmp
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Users\user\Desktop\gNrfORqjCV.exe C:\Users\user\Desktop\gNrfORqjCV.exe
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GzGmImHFmOq" /XML "C:\Users\user\AppData\Local\Temp\tmp389B.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process created: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\gNrfORqjCV.exe
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GzGmImHFmOq" /XML "C:\Users\user\AppData\Local\Temp\tmp78F4.tmp
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Users\user\Desktop\gNrfORqjCV.exe C:\Users\user\Desktop\gNrfORqjCV.exe
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GzGmImHFmOq" /XML "C:\Users\user\AppData\Local\Temp\tmp389B.tmp
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process created: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp2556.tmp
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp27D7.tmp
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\gNrfORqjCV.exe
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GzGmImHFmOq" /XML "C:\Users\user\AppData\Local\Temp\tmpEAF8.tmp
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Users\user\Desktop\gNrfORqjCV.exe C:\Users\user\Desktop\gNrfORqjCV.exe

Source: C:\Users\user\Desktop\gNrfORqjCV.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: C:\Users\user\Desktop\gNrfORqjCV.exe

File created: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe

Jump to behavior

Source: C:\Users\user\Desktop\gNrfORqjCV.exe

File created: C:\Users\user\AppData\Local\Temp\tmp78F4.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@37/23@20/2

Source: C:\Users\user\Desktop\gNrfORqjCV.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: gNrfORqjCV.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6036:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6108:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5684:120:WilError_01
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{cb7cb109-a06b-4fd7-8d0e-5290e77da5a5}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5260:120:WilError_01
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Mutant created: \Sessions\1\BaseNamedObjects\nPnroCzUduJadCsbkbUABOtLLtA
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5244:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1640:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4720:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5228:120:WilError_01

Source: C:\Users\user\Desktop\gNrfORqjCV.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: 23.2.gNrfORqjCV.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 23.2.gNrfORqjCV.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 23.2.gNrfORqjCV.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\gNrfORqjCV.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: gNrfORqjCV.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: gNrfORqjCV.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: gNrfORqjCV.exe, SystemManager/frmBoard.cs	.Net Code: InitializeComponent System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: GzGmImHFmOq.exe.0.dr, SystemManager/frmBoard.cs	.Net Code: InitializeComponent System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.gNrfORqjCV.exe.430000.0.unpack, SystemManager/frmBoard.cs	.Net Code: InitializeComponent System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: dhcpmon.exe.8.dr, SystemManager/frmBoard.cs	.Net Code: InitializeComponent System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 23.2.gNrfORqjCV.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 23.2.gNrfORqjCV.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Code function: 0_2_07E23603 push ebp; retf
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Code function: 7_2_07893BCF push FFFFFF8Bh; iretd

Source: initial sample	Static PE information: section name: .text entropy: 7.680692465060209
Source: initial sample	Static PE information: section name: .text entropy: 7.680692465060209
Source: initial sample	Static PE information: section name: .text entropy: 7.680692465060209

Source: 23.2.gNrfORqjCV.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 23.2.gNrfORqjCV.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

Source: C:\Users\user\Desktop\gNrfORqjCV.exe	File created: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe			Jump to dropped file
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\gNrfORqjCV.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GzGmImHFmOq" /XML "C:\Users\user\AppData\Local\Temp\tmp78F4.tmp

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\gNrfORqjCV.exe

File opened: C:\Users\user\Desktop\gNrfORqjCV.exe:Zone.Identifier read attributes | delete

Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 0.2.gNrfORqjCV.exe.29cf1b4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gNrfORqjCV.exe.29ae42c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.2f69510.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.2f664f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.2f67504.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.350708235.0000000002AAE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.394849296.0000000002F5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.454001802.0000000002AAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.350708235.0000000002831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gNrfORqjCV.exe PID: 5240, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GzGmImHFmOq.exe PID: 5000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 4544, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: gNrfORqjCV.exe, 00000000.00000002.350708235.0000000002AAE000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.350708235.0000000002831000.00000004.00000800.00020000.00000000.sdmp, GzGmImHFmOq.exe, 00000007.00000002.454001802.0000000002AAF000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 0000000E.00000002.418053715.0000000003043000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 0000000F.00000002.394849296.0000000002F5E000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000016.00000002.428209955.0000000003413000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: gNrfORqjCV.exe, 00000000.00000002.350708235.0000000002AAE000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.350708235.0000000002831000.00000004.00000800.00020000.00000000.sdmp, GzGmImHFmOq.exe, 00000007.00000002.454001802.0000000002AAF000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 0000000E.00000002.418053715.0000000003043000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 0000000F.00000002.394849296.0000000002F5E000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000016.00000002.428209955.0000000003413000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\gNrfORqjCV.exe TID: 5668	Thread sleep time: -37665s >= -30000s
Source: C:\Users\user\Desktop\gNrfORqjCV.exe TID: 5544	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1640	Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2492	Thread sleep count: 9432 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1812	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe TID: 5008	Thread sleep time: -37665s >= -30000s
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe TID: 4700	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\gNrfORqjCV.exe TID: 6032	Thread sleep time: -16602069666338586s >= -30000s
Source: C:\Users\user\Desktop\gNrfORqjCV.exe TID: 472	Thread sleep time: -37665s >= -30000s
Source: C:\Users\user\Desktop\gNrfORqjCV.exe TID: 4136	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1712	Thread sleep time: -37665s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5020	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4276	Thread sleep count: 9255 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2552	Thread sleep time: -12912720851596678s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2816	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6016	Thread sleep time: -37665s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4760	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\gNrfORqjCV.exe TID: 5100	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe TID: 748	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9315
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9432
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Window / User API: threadDelayed 9459
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Window / User API: foregroundWindowGot 732
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9255
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8922

Source: C:\Users\user\Desktop\gNrfORqjCV.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Thread delayed: delay time: 37665
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Thread delayed: delay time: 37665
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Thread delayed: delay time: 37665
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 37665
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 37665
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Thread delayed: delay time: 922337203685477

Source: dhcpmon.exe, 00000016.00000002.428209955.0000000003413000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dhcpmon.exe, 00000016.00000002.428209955.0000000003413000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: dhcpmon.exe, 0000000F.00000002.394849296.0000000002F5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: dhcpmon.exe, 00000016.00000002.428209955.0000000003413000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\gNrfORqjCV.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Memory written: C:\Users\user\Desktop\gNrfORqjCV.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Memory written: C:\Users\user\Desktop\gNrfORqjCV.exe base: 400000 value starts with: 4D5A

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\gNrfORqjCV.exe
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\gNrfORqjCV.exe
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\gNrfORqjCV.exe
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\gNrfORqjCV.exe
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe

Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\gNrfORqjCV.exe
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GzGmImHFmOq" /XML "C:\Users\user\AppData\Local\Temp\tmp78F4.tmp
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Users\user\Desktop\gNrfORqjCV.exe C:\Users\user\Desktop\gNrfORqjCV.exe
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GzGmImHFmOq" /XML "C:\Users\user\AppData\Local\Temp\tmp389B.tmp
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Process created: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp2556.tmp
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp27D7.tmp
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\gNrfORqjCV.exe
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GzGmImHFmOq" /XML "C:\Users\user\AppData\Local\Temp\tmpEAF8.tmp
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Process created: C:\Users\user\Desktop\gNrfORqjCV.exe C:\Users\user\Desktop\gNrfORqjCV.exe

Source: gNrfORqjCV.exe, 00000008.00000002.561827065.0000000003100000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000008.00000002.561827065.00000000033E3000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000008.00000002.575711406.000000000747E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: gNrfORqjCV.exe, 00000008.00000002.561827065.0000000003183000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerHaVph

Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Users\user\Desktop\gNrfORqjCV.exe VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Queries volume information: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Users\user\Desktop\gNrfORqjCV.exe VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Users\user\Desktop\gNrfORqjCV.exe VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Users\user\Desktop\gNrfORqjCV.exe VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\gNrfORqjCV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Queries volume information: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\gNrfORqjCV.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected Nanocore RAT

Source: Yara match	File source: 23.2.gNrfORqjCV.exe.398062c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.gNrfORqjCV.exe.5a74629.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gNrfORqjCV.exe.3efe658.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.GzGmImHFmOq.exe.3f1fc08.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.gNrfORqjCV.exe.434e5d0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.gNrfORqjCV.exe.431b9b0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.gNrfORqjCV.exe.397b7f6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.gNrfORqjCV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gNrfORqjCV.exe.3ecba38.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gNrfORqjCV.exe.3efe658.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.gNrfORqjCV.exe.5a70000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.gNrfORqjCV.exe.5a70000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.gNrfORqjCV.exe.3984c55.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.GzGmImHFmOq.exe.3f54628.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.GzGmImHFmOq.exe.3f87248.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.GzGmImHFmOq.exe.3f87248.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.gNrfORqjCV.exe.434e5d0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.gNrfORqjCV.exe.398062c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gNrfORqjCV.exe.3ecba38.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.GzGmImHFmOq.exe.3f54628.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.gNrfORqjCV.exe.431b9b0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.436230882.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.574171475.0000000005A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.440525605.0000000003939000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.425767553.00000000042E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.356107386.0000000003E97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.439566387.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.476397038.0000000003191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.463703676.0000000003F1F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gNrfORqjCV.exe PID: 5240, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GzGmImHFmOq.exe PID: 5000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gNrfORqjCV.exe PID: 5248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gNrfORqjCV.exe PID: 1324, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GzGmImHFmOq.exe PID: 5544, type: MEMORYSTR

Remote Access Functionality

Detected Nanocore Rat

Source: gNrfORqjCV.exe, 00000000.00000002.356107386.0000000003E97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: GzGmImHFmOq.exe, 00000007.00000002.463703676.0000000003F1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: gNrfORqjCV.exe, 00000008.00000002.561827065.0000000003059000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: gNrfORqjCV.exe, 00000008.00000002.561827065.0000000003059000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: gNrfORqjCV.exe, 0000000E.00000002.425767553.00000000042E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: gNrfORqjCV.exe, 00000017.00000002.436230882.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: gNrfORqjCV.exe, 00000017.00000002.440525605.0000000003939000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: gNrfORqjCV.exe, 00000017.00000002.440525605.0000000003939000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: gNrfORqjCV.exe, 00000017.00000002.439566387.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: gNrfORqjCV.exe, 00000017.00000002.439566387.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: GzGmImHFmOq.exe, 0000001C.00000002.476397038.0000000003191000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: GzGmImHFmOq.exe, 0000001C.00000002.476397038.0000000003191000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Source: Yara match	File source: 23.2.gNrfORqjCV.exe.398062c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.gNrfORqjCV.exe.5a74629.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gNrfORqjCV.exe.3efe658.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.GzGmImHFmOq.exe.3f1fc08.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.gNrfORqjCV.exe.434e5d0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.gNrfORqjCV.exe.431b9b0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.gNrfORqjCV.exe.397b7f6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.gNrfORqjCV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gNrfORqjCV.exe.3ecba38.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gNrfORqjCV.exe.3efe658.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.gNrfORqjCV.exe.5a70000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.gNrfORqjCV.exe.5a70000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.gNrfORqjCV.exe.3984c55.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.GzGmImHFmOq.exe.3f54628.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.GzGmImHFmOq.exe.3f87248.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.GzGmImHFmOq.exe.3f87248.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.gNrfORqjCV.exe.434e5d0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.gNrfORqjCV.exe.398062c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gNrfORqjCV.exe.3ecba38.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.GzGmImHFmOq.exe.3f54628.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.gNrfORqjCV.exe.431b9b0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.436230882.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.574171475.0000000005A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.440525605.0000000003939000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.425767553.00000000042E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.356107386.0000000003E97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.439566387.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.476397038.0000000003191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.463703676.0000000003F1F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gNrfORqjCV.exe PID: 5240, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GzGmImHFmOq.exe PID: 5000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gNrfORqjCV.exe PID: 5248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gNrfORqjCV.exe PID: 1324, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GzGmImHFmOq.exe PID: 5544, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	112 Process Injection	2 Masquerading	11 Input Capture	21 Security Software Discovery	Remote Services	11 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Remote Access Software	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	112 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	21 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Hidden Files and Directories	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	13 Software Packing	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
gNrfORqjCV.exe	64%	ReversingLabs	ByteCode-MSIL.Trojan.NanoBot
gNrfORqjCV.exe	59%	Virustotal		Browse
gNrfORqjCV.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	64%	ReversingLabs	ByteCode-MSIL.Trojan.NanoBot
C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe	64%	ReversingLabs	ByteCode-MSIL.Trojan.NanoBot

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
23.2.gNrfORqjCV.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7		Download File
8.2.gNrfORqjCV.exe.5a70000.4.unpack	100%	Avira	TR/NanoCore.fadte		Download File

Domains

Source	Detection	Scanner	Label	Link
nonoise.duckdns.org	4%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.fontbureau.comessed	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/:	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/-	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.fontbureau.comalso	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.carterandcone.como.	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.fontbureau.comcomd	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/H	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/C	0%	URL Reputation	safe
http://en.w	0%	URL Reputation	safe
http://www.fontbureau.comd$	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/u	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/t	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/-	0%	URL Reputation	safe
http://www.founder.com.cn/cnicr	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/g	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/H	0%	URL Reputation	safe
http://www.founder.com.cn/cna-e	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/kurs	0%	Virustotal		Browse
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/:	0%	URL Reputation	safe
http://www.founder.com.cn/cnno	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/~	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.fontbureau.comony	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.carterandcone.comC	0%	URL Reputation	safe
http://www.fontbureau.comB.TTF	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/g	0%	URL Reputation	safe
http://www.fontbureau.comcom	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sajatypeworks.come	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.carterandcone.comTC	0%	URL Reputation	safe
http://www.fontbureau.comion	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/u	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.fontbureau.comd	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.comf	0%	URL Reputation	safe
http://www.fontbureau.comessedQ	0%	Avira URL Cloud	safe
nonoise.duckdns.org	100%	Avira URL Cloud	malware
http://www.fontbureau.comalsFu	0%	Avira URL Cloud	safe
http://www.sandoll.co.kra-d	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/kurs	0%	Avira URL Cloud	safe
http://www.sandoll.co.krX	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/Y0/u	0%	Avira URL Cloud	safe
http://www.fontbureau.comFu	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cntra	0%	Avira URL Cloud	safe
http://www.fontbureau.comalicS	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cni	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnani	0%	Avira URL Cloud	safe
http://www.fontbureau.comuevo	0%	Avira URL Cloud	safe
http://www.carterandcone.com.T	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cnlg	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/t-i	0%	Avira URL Cloud	safe
http://www.carterandcone.comTCH	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/n	0%	Avira URL Cloud	safe
http://www.carterandcone.como.p	0%	Avira URL Cloud	safe
http://www.fontbureau.comFH	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/de	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cnde	0%	Avira URL Cloud	safe
http://www.carterandcone.coms0	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/Z	0%	Avira URL Cloud	safe
127.0.0.1	0%	Avira URL Cloud	safe
http://www.carterandcone.comlg	0%	Avira URL Cloud	safe
http://www.fontbureau.comdy	0%	Avira URL Cloud	safe
http://www.carterandcone.comde	0%	Avira URL Cloud	safe
http://www.carterandcone.comego	0%	Avira URL Cloud	safe
http://www.carterandcone.comsb	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
nonoise.duckdns.org	194.5.98.24	true	true	4%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
nonoise.duckdns.org	true	Avira URL Cloud: malware	unknown
127.0.0.1	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.sandoll.co.kra-d	gNrfORqjCV.exe, 00000000.00000003.297489904.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comd$	gNrfORqjCV.exe, 00000000.00000003.306269906.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305929656.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305990317.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305838770.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306376678.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305713164.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306618063.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306223458.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306133463.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306459708.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306044876.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306685172.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306515905.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305767077.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designers	gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303960292.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312116348.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303851330.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304821209.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fontbureau.comessed	gNrfORqjCV.exe, 00000000.00000003.304376908.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304071114.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303960292.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304218382.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304586978.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304481831.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303851330.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/kurs	gNrfORqjCV.exe, 00000000.00000003.300916137.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300843664.00000000057E0000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300626397.00000000057DC000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.fontbureau.comalsFu	gNrfORqjCV.exe, 00000000.00000003.306269906.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306376678.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306223458.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306133463.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306459708.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306044876.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306515905.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	gNrfORqjCV.exe, 00000000.00000003.294783811.00000000057C2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/:	gNrfORqjCV.exe, 00000000.00000003.300916137.00000000057DE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.krX	gNrfORqjCV.exe, 00000000.00000003.297489904.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.297537163.00000000057E0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/-	gNrfORqjCV.exe, 00000000.00000003.300843664.00000000057E0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ascendercorp.com/typedesigners.html	gNrfORqjCV.exe, 00000000.00000003.301383146.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301335862.00000000057E4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comalso	gNrfORqjCV.exe, 00000000.00000003.305608628.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305713164.00000000057E2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	gNrfORqjCV.exe, 00000000.00000003.299416168.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298730476.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299600985.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299790040.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299451966.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299359743.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298672055.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298849689.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298912231.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299112643.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299189314.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	gNrfORqjCV.exe, 00000000.00000002.350708235.0000000002AAE000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.350708235.0000000002831000.00000004.00000800.00020000.00000000.sdmp, GzGmImHFmOq.exe, 00000007.00000002.454001802.0000000002AAF000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000008.00000002.561827065.0000000003059000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 0000000E.00000002.418053715.0000000003046000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.como.	gNrfORqjCV.exe, 00000000.00000003.299416168.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299600985.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299790040.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299451966.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299359743.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298849689.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300055029.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300121923.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298912231.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299112643.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299189314.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299908418.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comessedQ	gNrfORqjCV.exe, 00000000.00000003.304720200.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304656866.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304821209.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/Y0/u	gNrfORqjCV.exe, 00000000.00000003.300916137.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300843664.00000000057E0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/	gNrfORqjCV.exe, 00000000.00000003.307562749.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cntra	gNrfORqjCV.exe, 00000000.00000003.298397850.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298272672.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298235609.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298328560.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298175941.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298051431.00000000057E0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comcomd	gNrfORqjCV.exe, 00000000.00000003.304586978.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/H	gNrfORqjCV.exe, 00000000.00000003.300626397.00000000057DC000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersno	gNrfORqjCV.exe, 00000000.00000003.312116348.00000000057E2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/C	gNrfORqjCV.exe, 00000000.00000003.301848813.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301275522.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301817563.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301964183.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301489951.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301383146.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300916137.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300843664.00000000057E0000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301753239.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301721274.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301610181.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.302024144.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301642038.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301335862.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301052807.00000000057E1000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.302116093.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301545636.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301786090.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://en.w	gNrfORqjCV.exe, 00000000.00000003.296515775.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.296396139.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cni	gNrfORqjCV.exe, 00000000.00000003.299416168.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298730476.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299600985.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299790040.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299451966.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299359743.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298672055.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298849689.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298912231.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299112643.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299189314.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/	gNrfORqjCV.exe, 00000000.00000003.297575248.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comFu	gNrfORqjCV.exe, 00000000.00000003.304720200.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304937014.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304656866.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305239978.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305277458.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305453770.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305332327.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305058105.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304821209.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305393745.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	gNrfORqjCV.exe, 00000000.00000003.304656866.00000000057F4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304586978.00000000057F3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fontbureau.comalicS	gNrfORqjCV.exe, 00000000.00000003.303190287.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303341407.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/u	gNrfORqjCV.exe, 00000000.00000003.301275522.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301335862.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301052807.00000000057E1000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/t	gNrfORqjCV.exe, 00000000.00000003.301275522.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300916137.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300843664.00000000057E0000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300626397.00000000057DC000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301335862.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301052807.00000000057E1000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/-	gNrfORqjCV.exe, 00000000.00000003.301848813.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301275522.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301817563.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301964183.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301489951.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301383146.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300916137.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301753239.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301721274.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301610181.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301642038.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301335862.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301052807.00000000057E1000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301545636.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301786090.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnicr	gNrfORqjCV.exe, 00000000.00000003.299416168.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298397850.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298730476.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299600985.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299790040.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299451966.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298272672.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298235609.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299359743.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298448695.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298328560.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298175941.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298516176.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298672055.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298849689.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298912231.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299112643.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299189314.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299908418.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.com.T	gNrfORqjCV.exe, 00000000.00000003.299416168.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299451966.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299359743.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298849689.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298912231.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299112643.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299189314.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/g	gNrfORqjCV.exe, 00000000.00000003.300626397.00000000057DC000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersG	gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersF	gNrfORqjCV.exe, 00000000.00000003.304071114.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303960292.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304218382.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comuevo	gNrfORqjCV.exe, 00000000.00000003.312305827.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312179725.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312571385.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312116348.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.377294989.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312473392.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/bThe	gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	gNrfORqjCV.exe, 00000000.00000003.305608628.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/jp/H	gNrfORqjCV.exe, 00000000.00000003.300916137.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300843664.00000000057E0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnani	gNrfORqjCV.exe, 00000000.00000003.298397850.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298272672.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298235609.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298328560.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298175941.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298051431.00000000057E0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cna-e	gNrfORqjCV.exe, 00000000.00000003.297957541.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298027129.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comFH	gNrfORqjCV.exe, 00000000.00000003.306269906.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306376678.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306223458.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306133463.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306459708.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306044876.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cnde	gNrfORqjCV.exe, 00000000.00000003.298730476.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298672055.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298849689.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298912231.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299112643.00000000057E9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zhongyicts.com.cnlg	gNrfORqjCV.exe, 00000000.00000003.298730476.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299359743.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298672055.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298849689.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298912231.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299112643.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299189314.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr	gNrfORqjCV.exe, 00000000.00000003.297685163.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.297575248.00000000057E1000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.297537163.00000000057E0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.com	gNrfORqjCV.exe, 00000000.00000003.299600985.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299790040.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300055029.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300121923.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299908418.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/de	gNrfORqjCV.exe, 00000000.00000003.298397850.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298272672.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298235609.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298328560.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298175941.00000000057DE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comTCH	gNrfORqjCV.exe, 00000000.00000003.299416168.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299600985.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299790040.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299451966.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300055029.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299908418.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/:	gNrfORqjCV.exe, 00000000.00000003.301275522.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301489951.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301383146.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301610181.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301642038.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301335862.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301052807.00000000057E1000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301545636.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersT	gNrfORqjCV.exe, 00000000.00000003.306044876.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cnno	gNrfORqjCV.exe, 00000000.00000003.298051431.00000000057E0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/~	gNrfORqjCV.exe, 00000000.00000003.301275522.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301489951.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301383146.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300916137.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300843664.00000000057E0000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301610181.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301642038.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301335862.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301052807.00000000057E1000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301545636.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersR	gNrfORqjCV.exe, 00000000.00000003.303851330.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.typography.netD	gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.como.p	gNrfORqjCV.exe, 00000000.00000003.299416168.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299600985.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299790040.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299451966.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299359743.00000000057E9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comony	gNrfORqjCV.exe, 00000000.00000003.305453770.00000000057E2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	gNrfORqjCV.exe, 00000000.00000003.307784164.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	gNrfORqjCV.exe, 00000000.00000003.295899082.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.296138391.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.296240339.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.295949444.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.296360113.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.296039310.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.296275045.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.295980858.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.296109893.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.296305097.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/n	gNrfORqjCV.exe, 00000000.00000003.307562749.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/t-i	gNrfORqjCV.exe, 00000000.00000003.301275522.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301335862.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301052807.00000000057E1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersl	gNrfORqjCV.exe, 00000000.00000003.303341407.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.carterandcone.comC	gNrfORqjCV.exe, 00000000.00000003.299416168.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299600985.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299790040.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299451966.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299359743.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299189314.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comB.TTF	gNrfORqjCV.exe, 00000000.00000003.306269906.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305929656.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305990317.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305838770.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306376678.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305713164.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306223458.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306133463.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306459708.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306044876.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306515905.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305767077.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/g	gNrfORqjCV.exe, 00000000.00000003.300916137.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300843664.00000000057E0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comcom	gNrfORqjCV.exe, 00000000.00000003.306269906.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305990317.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306376678.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306223458.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306133463.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306459708.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306044876.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designerse	gNrfORqjCV.exe, 00000000.00000003.303960292.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303851330.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersb	gNrfORqjCV.exe, 00000000.00000003.304720200.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304937014.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304656866.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304821209.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fonts.com	gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	gNrfORqjCV.exe, 00000000.00000003.297685163.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.297489904.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.297575248.00000000057E1000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.297537163.00000000057E0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersp	gNrfORqjCV.exe, 00000000.00000003.305608628.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305713164.00000000057E2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.come	gNrfORqjCV.exe, 00000000.00000003.294783811.00000000057C2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coms0	gNrfORqjCV.exe, 00000000.00000003.298730476.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298849689.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298912231.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299112643.00000000057E9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designerss	gNrfORqjCV.exe, 00000000.00000003.304071114.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303683488.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303960292.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303851330.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	gNrfORqjCV.exe, 00000000.00000003.298516176.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	gNrfORqjCV.exe, 00000000.00000003.306269906.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305929656.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305990317.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304720200.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305838770.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312305827.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305608628.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306376678.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305713164.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304937014.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303190287.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304656866.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.305239978.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303341407.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304376908.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306223458.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306133463.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306459708.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304071114.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.306044876.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303683488.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.carterandcone.comTC	gNrfORqjCV.exe, 00000000.00000003.298730476.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298849689.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300055029.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300121923.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298912231.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299908418.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comdy	gNrfORqjCV.exe, 00000000.00000003.304376908.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304071114.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303683488.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303960292.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304218382.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304481831.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303851330.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comego	gNrfORqjCV.exe, 00000000.00000003.299112643.00000000057E9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/Z	gNrfORqjCV.exe, 00000000.00000003.307562749.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comion	gNrfORqjCV.exe, 00000000.00000003.312305827.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312042266.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312179725.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312571385.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312116348.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.377294989.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312473392.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comde	gNrfORqjCV.exe, 00000000.00000003.299790040.00000000057E9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/u	gNrfORqjCV.exe, 00000000.00000003.300626397.00000000057DC000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	gNrfORqjCV.exe, 00000000.00000003.300916137.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300843664.00000000057E0000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301610181.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301642038.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301335862.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301052807.00000000057E1000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.301545636.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comd	gNrfORqjCV.exe, 00000000.00000003.304376908.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304071114.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303960292.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304218382.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.304481831.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.303851330.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comlg	gNrfORqjCV.exe, 00000000.00000003.299416168.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299600985.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299790040.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299451966.00000000057E9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	gNrfORqjCV.exe, 00000000.00000003.298175941.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298516176.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.377796505.00000000069D2000.00000004.00000800.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298672055.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298849689.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300055029.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.300121923.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298912231.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299112643.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299189314.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298027129.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.298051431.00000000057E0000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299908418.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comf	gNrfORqjCV.exe, 00000000.00000003.312305827.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312042266.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312179725.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312571385.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312116348.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000002.377294989.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.312473392.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comsb	gNrfORqjCV.exe, 00000000.00000003.299416168.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299451966.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299359743.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, gNrfORqjCV.exe, 00000000.00000003.299189314.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.5.98.24	nonoise.duckdns.org	Netherlands		208476	DANILENKODE	true

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	800437
Start date and time:	2023-02-07 13:54:09 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 23s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	gNrfORqjCV.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@37/23@20/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 0.9% (good quality ratio 0.8%) Quality average: 67.6% Quality standard deviation: 33.2%
HCA Information:	Successful, ratio: 99% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe, WmiPrvSE.exe
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:55:12	API Interceptor	731x Sleep call for process: gNrfORqjCV.exe modified
13:55:20	API Interceptor	148x Sleep call for process: powershell.exe modified
13:55:22	Task Scheduler	Run new task: GzGmImHFmOq path: C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe
13:55:31	Task Scheduler	Run new task: DHCP Monitor path: "C:\Users\user\Desktop\gNrfORqjCV.exe" s>$(Arg0)
13:55:32	Task Scheduler	Run new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
13:55:35	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
13:55:40	API Interceptor	2x Sleep call for process: dhcpmon.exe modified
13:55:42	API Interceptor	1x Sleep call for process: GzGmImHFmOq.exe modified

Process:	C:\Users\user\Desktop\gNrfORqjCV.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	941568
Entropy (8bit):	7.676646011154186
Encrypted:	false
SSDEEP:	12288:77S45nJrTmHkFrVoaqnS/pjpkH7PRNNiJTp/cuP1FRkkYy27YBp7HwcBVw:nS4PkkFr2QJ6HdaTp081L4y2Qasw
MD5:	60C8D91ADFA30A60AFA2F5437CE7D041
SHA1:	F8460389F343481D7420073AD1DA2F90DDEDC696
SHA-256:	5707C702F70CC5BF864E10AAAB48F9300E3BE0A7892D8FAA1810145F0AF93D2D
SHA-512:	38DE4CFCD5A1E75AF8E730B7F459D545108306BCFE06C2D315FB70B72DD75F550F21E0078F7AE4214D03BBBC5FDD4A3DE8500254534842E6EB8321693F5062C0
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 64%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L.c..............0..V..........>u... ........@.. ....................................@..................................t..O.................................................................................... ............... ..H............text...DU... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B................ u......H........K...B......-....................................................{......{....V.(......}......}.......0..C........u........6.,0(.....{.....{....o....,.(.....{.....{....o....+..+... ...U )UU.Z(.....{....o....X )UU.Z(.....{....o....X.0..b........r...p......%..{.......%q.........-.&.+.......o ....%..{.......%q.........-.&.+.......o ....(!...&.(.......0..V........(........}......}.......s"...}......+&...+...{.......(#......X.......-....X.......-....0...........rG.

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\gNrfORqjCV.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GzGmImHFmOq.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

Download File

Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gNrfORqjCV.exe.log

Download File

Process:	C:\Users\user\Desktop\gNrfORqjCV.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	21748
Entropy (8bit):	5.600772758637283
Encrypted:	false
SSDEEP:	384:LtCRLq0gJcKuAax0rq/3ISVxyjulrItiiJ9glSJuyzSv0ZqbAVrdJQBR3BT+inY8:0KuAaxgUxyClrSSlBBs4wXoY8
MD5:	13AAEA93CDE8136DA48D5BF09ADF3B60
SHA1:	0450C3870498BB682CE4010CE9F85A1D6DC8774C
SHA-256:	C68305D299D55E533CD4DFA704D41EF40C81EB455BE38414FC6458A777A8C0F4
SHA-512:	460B8B08B988E680BDFD0869B5EB0E862A89099BB60A146F7A3EFA55CA9BDE803028C18FCFED4A5B154955C9A7ED42BD9B8801CD6AAC230E4F072B2CFA61595C
Malicious:	false
Preview:	@...e...............................d.7...b..........@..........H...............<@.^.L."My...::..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1j2kljyl.nvz.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_amg03k4b.ntk.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fkpvekda.sks.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ilozur5r.kfw.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_llqraot0.bne.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n0npb1fb.bd2.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oj43ruk0.xkr.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p15ocwwh.bio.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\tmp2556.tmp

Download File

Process:	C:\Users\user\Desktop\gNrfORqjCV.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1301
Entropy (8bit):	5.111180834949932
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Pcxtn:cbk4oL600QydbQxIYODOLedq3Scj
MD5:	205A4E2EE65AB288C6B92DB204349ACF
SHA1:	2F645852F3AB280F7FC170545EDBC557356DE80E
SHA-256:	5FBCDCDB9CE1FDCA116227AFE38D307CEA461D64D653BD23F20BA3872EA85B72
SHA-512:	77550160EAB85A1B52DBCB26F4D6DA3C4BED08DB7E220AC320937EEABFEA3755C0EA0354D691C803CBF8100A96BB67B06C9C30829876BC5EFA7941A02E3331A5
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmp27D7.tmp

Download File

Process:	C:\Users\user\Desktop\gNrfORqjCV.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1310
Entropy (8bit):	5.109425792877704
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
MD5:	5C2F41CFC6F988C859DA7D727AC2B62A
SHA1:	68999C85FC7E37BAB9216E0099836D40D4545C1C
SHA-256:	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
SHA-512:	B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmp389B.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1602
Entropy (8bit):	5.140535559819237
Encrypted:	false
SSDEEP:	24:2di4+S2qh/a1Kby1moqUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt2xvn:cgeCaYrFdOFzOzN33ODOiDdKrsuT6v
MD5:	7249F2169DE65C5704FB934EEAF9D7BF
SHA1:	6A0CB99EB5C1D4ABB0F5A8A6993ABD92DAAC126A
SHA-256:	A8E9843BC4C116B227EF3AD89E1BE8CB9C501370421504FEB5E82C66C8879247
SHA-512:	64D47BBC462F714DE847F49C3FF66F0B9880CFBFB0EB8DE3FC8FE657FF12F9922E256225A91EED819A82B97BB5408053B7FBCB7F7889065C535C281F8B9DD82D
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Local\Temp\tmp78F4.tmp

Download File

Process:	C:\Users\user\Desktop\gNrfORqjCV.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1602
Entropy (8bit):	5.140535559819237
Encrypted:	false
SSDEEP:	24:2di4+S2qh/a1Kby1moqUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt2xvn:cgeCaYrFdOFzOzN33ODOiDdKrsuT6v
MD5:	7249F2169DE65C5704FB934EEAF9D7BF
SHA1:	6A0CB99EB5C1D4ABB0F5A8A6993ABD92DAAC126A
SHA-256:	A8E9843BC4C116B227EF3AD89E1BE8CB9C501370421504FEB5E82C66C8879247
SHA-512:	64D47BBC462F714DE847F49C3FF66F0B9880CFBFB0EB8DE3FC8FE657FF12F9922E256225A91EED819A82B97BB5408053B7FBCB7F7889065C535C281F8B9DD82D
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Local\Temp\tmpEAF8.tmp

Download File

Process:	C:\Users\user\Desktop\gNrfORqjCV.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1602
Entropy (8bit):	5.140535559819237
Encrypted:	false
SSDEEP:	24:2di4+S2qh/a1Kby1moqUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt2xvn:cgeCaYrFdOFzOzN33ODOiDdKrsuT6v
MD5:	7249F2169DE65C5704FB934EEAF9D7BF
SHA1:	6A0CB99EB5C1D4ABB0F5A8A6993ABD92DAAC126A
SHA-256:	A8E9843BC4C116B227EF3AD89E1BE8CB9C501370421504FEB5E82C66C8879247
SHA-512:	64D47BBC462F714DE847F49C3FF66F0B9880CFBFB0EB8DE3FC8FE657FF12F9922E256225A91EED819A82B97BB5408053B7FBCB7F7889065C535C281F8B9DD82D
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Download File

Process:	C:\Users\user\Desktop\gNrfORqjCV.exe
File Type:	ISO-8859 text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.75
Encrypted:	false
SSDEEP:	3:KF:KF
MD5:	84F57A2CCBF5202D84064D529BC5F7F1
SHA1:	48D0C7CADD8EF77664087CAF8474E57C77FAB1AA
SHA-256:	BC484715C0A8CFC52127533FEFB1FE211599F6FD7CAC1183A15C1449E255DBFD
SHA-512:	B4AB763748F3F445E55CCF2A85A9684BF392E5903F4F8253C4F61637099419469895DB23C92EF5C9BC0138B325D57A40F75153C638BF371D41EE79AB0DED11CA
Malicious:	true
Preview:	.pV.V..H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat

Download File

Process:	C:\Users\user\Desktop\gNrfORqjCV.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	38
Entropy (8bit):	4.405822250285692
Encrypted:	false
SSDEEP:	3:oNUWJRWCfqGi4A:oNNJACfq6A
MD5:	2C464CA33435236989E7B48201539321
SHA1:	BF6ED3B301DE5F4AE68C17E4CC826C70DE058248
SHA-256:	E8D74AB7595A22F57A930F896093E42870EFCF9CC6FF801D97F0E31073B03D28
SHA-512:	45E51DC7DCDD94F0EE2011AD5AE05A88E3D14825F0F4C46E9B8C55F19C7ECA4D096E28727D0BEA57590E9D02E030F12B001A4C4E53B382671084CA3CB51B7327
Malicious:	false
Preview:	C:\Users\user\Desktop\gNrfORqjCV.exe

C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe

Download File

Process:	C:\Users\user\Desktop\gNrfORqjCV.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	941568
Entropy (8bit):	7.676646011154186
Encrypted:	false
SSDEEP:	12288:77S45nJrTmHkFrVoaqnS/pjpkH7PRNNiJTp/cuP1FRkkYy27YBp7HwcBVw:nS4PkkFr2QJ6HdaTp081L4y2Qasw
MD5:	60C8D91ADFA30A60AFA2F5437CE7D041
SHA1:	F8460389F343481D7420073AD1DA2F90DDEDC696
SHA-256:	5707C702F70CC5BF864E10AAAB48F9300E3BE0A7892D8FAA1810145F0AF93D2D
SHA-512:	38DE4CFCD5A1E75AF8E730B7F459D545108306BCFE06C2D315FB70B72DD75F550F21E0078F7AE4214D03BBBC5FDD4A3DE8500254534842E6EB8321693F5062C0
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 64%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L.c..............0..V..........>u... ........@.. ....................................@..................................t..O.................................................................................... ............... ..H............text...DU... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B................ u......H........K...B......-....................................................{......{....V.(......}......}.......0..C........u........6.,0(.....{.....{....o....,.(.....{.....{....o....+..+... ...U )UU.Z(.....{....o....X )UU.Z(.....{....o....X.0..b........r...p......%..{.......%q.........-.&.+.......o ....%..{.......%q.........-.&.+.......o ....(!...&.(.......0..V........(........}......}.......s"...}......+&...+...{.......(#......X.......-....X.......-....0...........rG.

C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\gNrfORqjCV.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.676646011154186
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	gNrfORqjCV.exe
File size:	941568
MD5:	60c8d91adfa30a60afa2f5437ce7d041
SHA1:	f8460389f343481d7420073ad1da2f90ddedc696
SHA256:	5707c702f70cc5bf864e10aaab48f9300e3be0a7892d8faa1810145f0af93d2d
SHA512:	38de4cfcd5a1e75af8e730b7f459d545108306bcfe06c2d315fb70b72dd75f550f21e0078f7ae4214d03bbbc5fdd4a3de8500254534842e6eb8321693f5062c0
SSDEEP:	12288:77S45nJrTmHkFrVoaqnS/pjpkH7PRNNiJTp/cuP1FRkkYy27YBp7HwcBVw:nS4PkkFr2QJ6HdaTp081L4y2Qasw
TLSH:	82159D5119AB43E6ECF98D7832B8E61826A28CD2476D9D3EBC863D7A8CF370F4451711
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L.c..............0..V..........>u... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x4e753e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x63C94CB9 [Thu Jan 19 13:59:21 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe74ec	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe8000	0x3a4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xea000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xe5544	0xe5600	False	0.8197239015667575	data	7.680692465060209	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe8000	0x3a4	0x400	False	0.3837890625	data	2.942309763240296	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xea000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xe8058	0x348	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 7, 2023 13:55:35.385148048 CET	49701	6060	192.168.2.5	194.5.98.24
Feb 7, 2023 13:55:35.746256113 CET	6060	49701	194.5.98.24	192.168.2.5
Feb 7, 2023 13:55:36.263089895 CET	49701	6060	192.168.2.5	194.5.98.24
Feb 7, 2023 13:55:36.502480984 CET	6060	49701	194.5.98.24	192.168.2.5
Feb 7, 2023 13:55:37.060009956 CET	49701	6060	192.168.2.5	194.5.98.24
Feb 7, 2023 13:55:37.292237043 CET	6060	49701	194.5.98.24	192.168.2.5
Feb 7, 2023 13:55:45.062972069 CET	49702	6060	192.168.2.5	194.5.98.24
Feb 7, 2023 13:55:45.285547972 CET	6060	49702	194.5.98.24	192.168.2.5
Feb 7, 2023 13:55:45.967027903 CET	49702	6060	192.168.2.5	194.5.98.24
Feb 7, 2023 13:55:46.183325052 CET	6060	49702	194.5.98.24	192.168.2.5
Feb 7, 2023 13:55:46.764082909 CET	49702	6060	192.168.2.5	194.5.98.24
Feb 7, 2023 13:55:46.995682001 CET	6060	49702	194.5.98.24	192.168.2.5
Feb 7, 2023 13:56:08.145855904 CET	49705	6060	192.168.2.5	194.5.98.24
Feb 7, 2023 13:56:08.364366055 CET	6060	49705	194.5.98.24	192.168.2.5
Feb 7, 2023 13:56:08.953275919 CET	49705	6060	192.168.2.5	194.5.98.24
Feb 7, 2023 13:56:09.165040970 CET	6060	49705	194.5.98.24	192.168.2.5
Feb 7, 2023 13:56:09.765851021 CET	49705	6060	192.168.2.5	194.5.98.24
Feb 7, 2023 13:56:09.983294964 CET	6060	49705	194.5.98.24	192.168.2.5
Feb 7, 2023 13:56:39.798890114 CET	49712	6060	192.168.2.5	194.5.98.24
Feb 7, 2023 13:56:40.003993034 CET	6060	49712	194.5.98.24	192.168.2.5
Feb 7, 2023 13:56:40.518403053 CET	49712	6060	192.168.2.5	194.5.98.24
Feb 7, 2023 13:56:40.723225117 CET	6060	49712	194.5.98.24	192.168.2.5
Feb 7, 2023 13:56:41.228743076 CET	49712	6060	192.168.2.5	194.5.98.24
Feb 7, 2023 13:56:41.443243027 CET	6060	49712	194.5.98.24	192.168.2.5
Feb 7, 2023 13:56:54.732409954 CET	49713	6060	192.168.2.5	194.5.98.24
Feb 7, 2023 13:56:57.188936949 CET	6060	49713	194.5.98.24	192.168.2.5
Feb 7, 2023 13:56:57.863878965 CET	49713	6060	192.168.2.5	194.5.98.24
Feb 7, 2023 13:56:58.096165895 CET	6060	49713	194.5.98.24	192.168.2.5
Feb 7, 2023 13:56:58.598249912 CET	49713	6060	192.168.2.5	194.5.98.24
Feb 7, 2023 13:56:58.812616110 CET	6060	49713	194.5.98.24	192.168.2.5
Feb 7, 2023 13:57:02.917262077 CET	49715	6060	192.168.2.5	194.5.98.24
Feb 7, 2023 13:57:05.326845884 CET	6060	49715	194.5.98.24	192.168.2.5
Feb 7, 2023 13:57:05.842473984 CET	49715	6060	192.168.2.5	194.5.98.24
Feb 7, 2023 13:57:07.717140913 CET	6060	49715	194.5.98.24	192.168.2.5
Feb 7, 2023 13:57:08.230956078 CET	49715	6060	192.168.2.5	194.5.98.24
Feb 7, 2023 13:57:12.010140896 CET	6060	49715	194.5.98.24	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 7, 2023 13:55:34.256066084 CET	60649	53	192.168.2.5	84.200.69.80
Feb 7, 2023 13:55:35.317756891 CET	60649	53	192.168.2.5	84.200.69.80
Feb 7, 2023 13:55:35.370954037 CET	53	60649	84.200.69.80	192.168.2.5
Feb 7, 2023 13:55:44.998558044 CET	51441	53	192.168.2.5	84.200.69.80
Feb 7, 2023 13:55:45.034903049 CET	53	51441	84.200.69.80	192.168.2.5
Feb 7, 2023 13:55:53.838025093 CET	49724	53	192.168.2.5	84.200.69.80
Feb 7, 2023 13:55:54.828720093 CET	49724	53	192.168.2.5	84.200.69.80
Feb 7, 2023 13:55:57.980149031 CET	49724	53	192.168.2.5	84.200.69.80
Feb 7, 2023 13:55:59.984153032 CET	49724	53	192.168.2.5	84.200.69.80
Feb 7, 2023 13:56:04.031718969 CET	49724	53	192.168.2.5	84.200.69.80
Feb 7, 2023 13:56:08.101353884 CET	65323	53	192.168.2.5	84.200.70.40
Feb 7, 2023 13:56:08.142416954 CET	53	65323	84.200.70.40	192.168.2.5
Feb 7, 2023 13:56:31.261082888 CET	55039	53	192.168.2.5	84.200.69.80
Feb 7, 2023 13:56:32.283844948 CET	55039	53	192.168.2.5	84.200.69.80
Feb 7, 2023 13:56:33.328063011 CET	55039	53	192.168.2.5	84.200.69.80
Feb 7, 2023 13:56:35.691873074 CET	55039	53	192.168.2.5	84.200.69.80
Feb 7, 2023 13:56:39.746449947 CET	55039	53	192.168.2.5	84.200.69.80
Feb 7, 2023 13:56:39.797384977 CET	53	55039	84.200.69.80	192.168.2.5
Feb 7, 2023 13:56:45.474669933 CET	60975	53	192.168.2.5	84.200.69.80
Feb 7, 2023 13:56:46.489002943 CET	60975	53	192.168.2.5	84.200.69.80
Feb 7, 2023 13:56:47.535037041 CET	60975	53	192.168.2.5	84.200.69.80
Feb 7, 2023 13:56:49.536046982 CET	60975	53	192.168.2.5	84.200.69.80
Feb 7, 2023 13:56:53.621021986 CET	60975	53	192.168.2.5	84.200.69.80
Feb 7, 2023 13:56:53.668188095 CET	53	60975	84.200.69.80	192.168.2.5
Feb 7, 2023 13:57:02.882363081 CET	55068	53	192.168.2.5	84.200.69.80
Feb 7, 2023 13:57:02.916222095 CET	53	55068	84.200.69.80	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 7, 2023 13:55:34.256066084 CET	192.168.2.5	84.200.69.80	0x9980	Standard query (0)	nonoise.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:55:35.317756891 CET	192.168.2.5	84.200.69.80	0x9980	Standard query (0)	nonoise.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:55:44.998558044 CET	192.168.2.5	84.200.69.80	0x64c6	Standard query (0)	nonoise.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:55:53.838025093 CET	192.168.2.5	84.200.69.80	0x4229	Standard query (0)	nonoise.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:55:54.828720093 CET	192.168.2.5	84.200.69.80	0x4229	Standard query (0)	nonoise.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:55:57.980149031 CET	192.168.2.5	84.200.69.80	0x4229	Standard query (0)	nonoise.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:55:59.984153032 CET	192.168.2.5	84.200.69.80	0x4229	Standard query (0)	nonoise.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:56:04.031718969 CET	192.168.2.5	84.200.69.80	0x4229	Standard query (0)	nonoise.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:56:08.101353884 CET	192.168.2.5	84.200.70.40	0x8c8	Standard query (0)	nonoise.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:56:31.261082888 CET	192.168.2.5	84.200.69.80	0x790f	Standard query (0)	nonoise.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:56:32.283844948 CET	192.168.2.5	84.200.69.80	0x790f	Standard query (0)	nonoise.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:56:33.328063011 CET	192.168.2.5	84.200.69.80	0x790f	Standard query (0)	nonoise.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:56:35.691873074 CET	192.168.2.5	84.200.69.80	0x790f	Standard query (0)	nonoise.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:56:39.746449947 CET	192.168.2.5	84.200.69.80	0x790f	Standard query (0)	nonoise.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:56:45.474669933 CET	192.168.2.5	84.200.69.80	0x7de9	Standard query (0)	nonoise.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:56:46.489002943 CET	192.168.2.5	84.200.69.80	0x7de9	Standard query (0)	nonoise.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:56:47.535037041 CET	192.168.2.5	84.200.69.80	0x7de9	Standard query (0)	nonoise.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:56:49.536046982 CET	192.168.2.5	84.200.69.80	0x7de9	Standard query (0)	nonoise.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:56:53.621021986 CET	192.168.2.5	84.200.69.80	0x7de9	Standard query (0)	nonoise.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:57:02.882363081 CET	192.168.2.5	84.200.69.80	0x8867	Standard query (0)	nonoise.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Feb 7, 2023 13:55:35.370954037 CET	84.200.69.80	192.168.2.5	0x9980	No error (0)	nonoise.duckdns.org	194.5.98.24	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:55:45.034903049 CET	84.200.69.80	192.168.2.5	0x64c6	No error (0)	nonoise.duckdns.org	194.5.98.24	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:56:08.142416954 CET	84.200.70.40	192.168.2.5	0x8c8	No error (0)	nonoise.duckdns.org	194.5.98.24	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:56:39.797384977 CET	84.200.69.80	192.168.2.5	0x790f	No error (0)	nonoise.duckdns.org	194.5.98.24	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:56:53.668188095 CET	84.200.69.80	192.168.2.5	0x7de9	No error (0)	nonoise.duckdns.org	194.5.98.24	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:57:02.916222095 CET	84.200.69.80	192.168.2.5	0x8867	No error (0)	nonoise.duckdns.org	194.5.98.24	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	13:55:01
Start date:	07/02/2023
Path:	C:\Users\user\Desktop\gNrfORqjCV.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\gNrfORqjCV.exe
Imagebase:	0x430000
File size:	941568 bytes
MD5 hash:	60C8D91ADFA30A60AFA2F5437CE7D041
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.350708235.0000000002AAE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.356107386.0000000003E97000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.356107386.0000000003E97000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.356107386.0000000003E97000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.356107386.0000000003E97000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.350708235.0000000002831000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: powershell.exePID: 492, Parent PID: 5240

General

Target ID:	1
Start time:	13:55:13
Start date:	07/02/2023
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\gNrfORqjCV.exe
Imagebase:	0xf00000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: conhost.exePID: 5684, Parent PID: 492

General

Target ID:	2
Start time:	13:55:13
Start date:	07/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: powershell.exePID: 1544, Parent PID: 5240

General

Target ID:	3
Start time:	13:55:14
Start date:	07/02/2023
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe
Imagebase:	0xf00000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: conhost.exePID: 4720, Parent PID: 1544

General

Target ID:	4
Start time:	13:55:14
Start date:	07/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: schtasks.exePID: 5936, Parent PID: 5240

General

Target ID:	5
Start time:	13:55:14
Start date:	07/02/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GzGmImHFmOq" /XML "C:\Users\user\AppData\Local\Temp\tmp78F4.tmp
Imagebase:	0xcc0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 6036, Parent PID: 5936

General

Target ID:	6
Start time:	13:55:14
Start date:	07/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: GzGmImHFmOq.exePID: 5000, Parent PID: 1084

General

Target ID:	7
Start time:	13:55:22
Start date:	07/02/2023
Path:	C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe
Imagebase:	0x530000
File size:	941568 bytes
MD5 hash:	60C8D91ADFA30A60AFA2F5437CE7D041
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.463703676.0000000003F1F000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.463703676.0000000003F1F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000002.463703676.0000000003F1F000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000007.00000002.463703676.0000000003F1F000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000007.00000002.454001802.0000000002AAF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 64%, ReversingLabs
Reputation:	low

Analysis Process: gNrfORqjCV.exePID: 5320, Parent PID: 5240

General

Target ID:	8
Start time:	13:55:25
Start date:	07/02/2023
Path:	C:\Users\user\Desktop\gNrfORqjCV.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\gNrfORqjCV.exe
Imagebase:	0xbb0000
File size:	941568 bytes
MD5 hash:	60C8D91ADFA30A60AFA2F5437CE7D041
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.571677772.0000000005810000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.571677772.0000000005810000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000008.00000002.571677772.0000000005810000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000008.00000002.571677772.0000000005810000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.574171475.0000000005A70000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.574171475.0000000005A70000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.574171475.0000000005A70000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000008.00000002.574171475.0000000005A70000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000008.00000002.574171475.0000000005A70000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000008.00000002.561827065.0000000003059000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Analysis Process: schtasks.exePID: 5256, Parent PID: 5320

General

Target ID:	10
Start time:	13:55:30
Start date:	07/02/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp2556.tmp
Imagebase:	0xcc0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 5228, Parent PID: 5256

General

Target ID:	11
Start time:	13:55:30
Start date:	07/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: schtasks.exePID: 6016, Parent PID: 5320

General

Target ID:	12
Start time:	13:55:31
Start date:	07/02/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp27D7.tmp
Imagebase:	0xcc0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 6108, Parent PID: 6016

General

Target ID:	13
Start time:	13:55:31
Start date:	07/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: gNrfORqjCV.exePID: 5248, Parent PID: 1084

General

Target ID:	14
Start time:	13:55:32
Start date:	07/02/2023
Path:	C:\Users\user\Desktop\gNrfORqjCV.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\gNrfORqjCV.exe 0
Imagebase:	0x820000
File size:	941568 bytes
MD5 hash:	60C8D91ADFA30A60AFA2F5437CE7D041
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.425767553.00000000042E7000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.425767553.00000000042E7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.425767553.00000000042E7000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000E.00000002.425767553.00000000042E7000.00000004.00000800.00020000.00000000.sdmp, Author: unknown

Analysis Process: dhcpmon.exePID: 4544, Parent PID: 1084

General

Target ID:	15
Start time:	13:55:32
Start date:	07/02/2023
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Imagebase:	0x740000
File size:	941568 bytes
MD5 hash:	60C8D91ADFA30A60AFA2F5437CE7D041
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000F.00000002.394849296.0000000002F5E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 64%, ReversingLabs

Analysis Process: powershell.exePID: 1252, Parent PID: 5248

General

Target ID:	16
Start time:	13:55:43
Start date:	07/02/2023
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\gNrfORqjCV.exe
Imagebase:	0xf00000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: conhost.exePID: 5244, Parent PID: 1252

General

Target ID:	17
Start time:	13:55:43
Start date:	07/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: powershell.exePID: 400, Parent PID: 5248

General

Target ID:	18
Start time:	13:55:43
Start date:	07/02/2023
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe
Imagebase:	0xf00000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: conhost.exePID: 1640, Parent PID: 400

General

Target ID:	19
Start time:	13:55:43
Start date:	07/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: schtasks.exePID: 5684, Parent PID: 5248

General

Target ID:	20
Start time:	13:55:43
Start date:	07/02/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GzGmImHFmOq" /XML "C:\Users\user\AppData\Local\Temp\tmpEAF8.tmp
Imagebase:	0xcc0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 6036, Parent PID: 5684

General

Target ID:	21
Start time:	13:55:43
Start date:	07/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: dhcpmon.exePID: 4720, Parent PID: 3324

General

Target ID:	22
Start time:	13:55:44
Start date:	07/02/2023
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Imagebase:	0xc10000
File size:	941568 bytes
MD5 hash:	60C8D91ADFA30A60AFA2F5437CE7D041
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET

Analysis Process: gNrfORqjCV.exePID: 1324, Parent PID: 5248

General

Target ID:	23
Start time:	13:55:50
Start date:	07/02/2023
Path:	C:\Users\user\Desktop\gNrfORqjCV.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\gNrfORqjCV.exe
Imagebase:	0x4e0000
File size:	941568 bytes
MD5 hash:	60C8D91ADFA30A60AFA2F5437CE7D041
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000002.436230882.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.436230882.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000017.00000002.436230882.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000017.00000002.436230882.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.440525605.0000000003939000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000017.00000002.440525605.0000000003939000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000017.00000002.440525605.0000000003939000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.439566387.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000017.00000002.439566387.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000017.00000002.439566387.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Author: unknown

Analysis Process: schtasks.exePID: 5660, Parent PID: 5000

General

Target ID:	26
Start time:	13:56:04
Start date:	07/02/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GzGmImHFmOq" /XML "C:\Users\user\AppData\Local\Temp\tmp389B.tmp
Imagebase:	0xcc0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 5260, Parent PID: 5660

General

Target ID:	27
Start time:	13:56:04
Start date:	07/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: GzGmImHFmOq.exePID: 5544, Parent PID: 5000

General

Target ID:	28
Start time:	13:56:07
Start date:	07/02/2023
Path:	C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\GzGmImHFmOq.exe
Imagebase:	0xc50000
File size:	941568 bytes
MD5 hash:	60C8D91ADFA30A60AFA2F5437CE7D041
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001C.00000002.476397038.0000000003191000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001C.00000002.476397038.0000000003191000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000001C.00000002.476397038.0000000003191000.00000004.00000800.00020000.00000000.sdmp, Author: unknown

Disassembly

⊘No disassembly

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report gNrfORqjCV.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

AV Detection

E-Banking Fraud

Persistence and Installation Behavior

Stealing of Sensitive Information

Remote Access Functionality

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GzGmImHFmOq.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gNrfORqjCV.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1j2kljyl.nvz.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_amg03k4b.ntk.ps1

Windows Analysis Report
gNrfORqjCV.exe