Edit tour

Windows Analysis Report
cRC31pEDkr.exe

Overview

General Information

Sample Name:	cRC31pEDkr.exe
Analysis ID:	800441
MD5:	ac2609d2181f756550e3c180329b121c
SHA1:	2ac2462013be76e3bb606c7deaec5e0e4609cd59
SHA256:	9730aee1d4d04bb12e1df2a5550741eed7266625f8d99443dd0cd0dffca07112
Tags:	exeNanoCore
Infos:

Detection

Nanocore, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected zgRAT

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Yara detected AntiVM3

Detected Nanocore Rat

Sigma detected: Scheduled temp file as task from temp location

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Adds a directory exclusion to Windows Defender

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses dynamic DNS services

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Binary contains a suspicious time stamp

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

cRC31pEDkr.exe (PID: 4064 cmdline: C:\Users\user\Desktop\cRC31pEDkr.exe MD5: AC2609D2181F756550E3C180329B121C)

powershell.exe (PID: 3492 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\cRC31pEDkr.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 4580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 4332 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 4592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 4724 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KgZEfacljaFey" /XML "C:\Users\user\AppData\Local\Temp\tmp5E04.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cRC31pEDkr.exe (PID: 4980 cmdline: C:\Users\user\Desktop\cRC31pEDkr.exe MD5: AC2609D2181F756550E3C180329B121C)

cRC31pEDkr.exe (PID: 4556 cmdline: C:\Users\user\Desktop\cRC31pEDkr.exe MD5: AC2609D2181F756550E3C180329B121C)

cRC31pEDkr.exe (PID: 1876 cmdline: C:\Users\user\Desktop\cRC31pEDkr.exe MD5: AC2609D2181F756550E3C180329B121C)

KgZEfacljaFey.exe (PID: 6040 cmdline: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe MD5: AC2609D2181F756550E3C180329B121C)

schtasks.exe (PID: 5600 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KgZEfacljaFey" /XML "C:\Users\user\AppData\Local\Temp\tmpAD4D.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 2056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

KgZEfacljaFey.exe (PID: 5196 cmdline: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe MD5: AC2609D2181F756550E3C180329B121C)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "e971e6b5-1c8b-4bb4-a1a3-7f94e076", "Group": "Ebube", "Domain1": "elzy.ddns.net", "Domain2": "127.0.0.1", "Port": 2000, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000E.00000002.404051124.0000000003B49000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.404051124.0000000003B49000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x42f0d:$a: NanoCore 0x42f66:$a: NanoCore 0x42fa3:$a: NanoCore 0x4301c:$a: NanoCore 0x566c7:$a: NanoCore 0x566dc:$a: NanoCore 0x56711:$a: NanoCore 0x6f183:$a: NanoCore 0x6f198:$a: NanoCore 0x6f1cd:$a: NanoCore 0x42f6f:$b: ClientPlugin 0x42fac:$b: ClientPlugin 0x438aa:$b: ClientPlugin 0x438b7:$b: ClientPlugin 0x56483:$b: ClientPlugin 0x5649e:$b: ClientPlugin 0x564ce:$b: ClientPlugin 0x566e5:$b: ClientPlugin 0x5671a:$b: ClientPlugin 0x6ef3f:$b: ClientPlugin 0x6ef5a:$b: ClientPlugin
0000000E.00000002.404051124.0000000003B49000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x42fa3:$a1: NanoCore.ClientPluginHost 0x56711:$a1: NanoCore.ClientPluginHost 0x6f1cd:$a1: NanoCore.ClientPluginHost 0x42f66:$a2: NanoCore.ClientPlugin 0x566dc:$a2: NanoCore.ClientPlugin 0x6f198:$a2: NanoCore.ClientPlugin 0x4333a:$b1: get_BuilderSettings 0x5b657:$b1: get_BuilderSettings 0x74113:$b1: get_BuilderSettings 0x42ff1:$b4: IClientAppHost 0x433ab:$b6: AddHostEntry 0x4341a:$b7: LogClientException 0x5b5c6:$b7: LogClientException 0x74082:$b7: LogClientException 0x4338f:$b8: PipeExists 0x42fde:$b9: IClientLoggingHost 0x5672b:$b9: IClientLoggingHost 0x6f1e7:$b9: IClientLoggingHost
0000000A.00000002.562803290.00000000026D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000A.00000002.562803290.00000000026D1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x36139:$a1: NanoCore.ClientPluginHost 0x360fc:$a2: NanoCore.ClientPlugin 0x364d0:$b1: get_BuilderSettings 0x36187:$b4: IClientAppHost 0x36541:$b6: AddHostEntry 0x365b0:$b7: LogClientException 0x36525:$b8: PipeExists 0x36174:$b9: IClientLoggingHost
0000000A.00000002.567364411.0000000005290000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
0000000A.00000002.567364411.0000000005290000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
0000000A.00000002.567364411.0000000005290000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
0000000A.00000002.567364411.0000000005290000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
00000007.00000002.388126518.0000000002C71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000007.00000002.388126518.0000000002EED000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000E.00000002.401166525.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000002.401166525.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.401166525.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000E.00000002.401166525.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xff8d:$a1: NanoCore.ClientPluginHost 0xff4d:$a2: NanoCore.ClientPlugin 0x11ea6:$b1: get_BuilderSettings 0xfda9:$b2: ClientLoaderForm.resources 0x115c6:$b3: PluginCommand 0xff7e:$b4: IClientAppHost 0x1a3fe:$b5: GetBlockHash 0x124fe:$b6: AddHostEntry 0x161f1:$b7: LogClientException 0x1246b:$b8: PipeExists 0xffb7:$b9: IClientLoggingHost
00000000.00000002.350028595.000000000436A000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x45f6d:$x1: NanoCore.ClientPluginHost 0x7898d:$x1: NanoCore.ClientPluginHost 0x184c3d:$x1: NanoCore.ClientPluginHost 0x45faa:$x2: IClientNetworkHost 0x789ca:$x2: IClientNetworkHost 0x184c7a:$x2: IClientNetworkHost 0x49add:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7c4fd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1887ad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.350028595.000000000436A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.350028595.000000000436A000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x45cd5:$a: NanoCore 0x45ce5:$a: NanoCore 0x45f19:$a: NanoCore 0x45f2d:$a: NanoCore 0x45f6d:$a: NanoCore 0x786f5:$a: NanoCore 0x78705:$a: NanoCore 0x78939:$a: NanoCore 0x7894d:$a: NanoCore 0x7898d:$a: NanoCore 0x1849a5:$a: NanoCore 0x1849b5:$a: NanoCore 0x184be9:$a: NanoCore 0x184bfd:$a: NanoCore 0x184c3d:$a: NanoCore 0x45d34:$b: ClientPlugin 0x45f36:$b: ClientPlugin 0x45f76:$b: ClientPlugin 0x78754:$b: ClientPlugin 0x78956:$b: ClientPlugin 0x78996:$b: ClientPlugin
00000000.00000002.350028595.000000000436A000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x45f6d:$a1: NanoCore.ClientPluginHost 0x7898d:$a1: NanoCore.ClientPluginHost 0x184c3d:$a1: NanoCore.ClientPluginHost 0x45f2d:$a2: NanoCore.ClientPlugin 0x7894d:$a2: NanoCore.ClientPlugin 0x184bfd:$a2: NanoCore.ClientPlugin 0x47e86:$b1: get_BuilderSettings 0x7a8a6:$b1: get_BuilderSettings 0x186b56:$b1: get_BuilderSettings 0x45d89:$b2: ClientLoaderForm.resources 0x787a9:$b2: ClientLoaderForm.resources 0x184a59:$b2: ClientLoaderForm.resources 0x475a6:$b3: PluginCommand 0x79fc6:$b3: PluginCommand 0x186276:$b3: PluginCommand 0x45f5e:$b4: IClientAppHost 0x7897e:$b4: IClientAppHost 0x184c2e:$b4: IClientAppHost 0x503de:$b5: GetBlockHash 0x82dfe:$b5: GetBlockHash 0x18f0ae:$b5: GetBlockHash
00000000.00000002.345847320.0000000003251000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000A.00000002.566234207.000000000371B000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xfa3:$a1: NanoCore.ClientPluginHost 0xf66:$a2: NanoCore.ClientPlugin 0xff1:$b4: IClientAppHost 0xfde:$b9: IClientLoggingHost
0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
00000000.00000002.345847320.00000000033A6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000E.00000002.403629575.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.403629575.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6944b:$a: NanoCore 0x694a4:$a: NanoCore 0x694e1:$a: NanoCore 0x6955a:$a: NanoCore 0x694ad:$b: ClientPlugin 0x694ea:$b: ClientPlugin 0x69de8:$b: ClientPlugin 0x69df5:$b: ClientPlugin 0x5f09a:$e: KeepAlive 0x69935:$g: LogClientMessage 0x698b5:$i: get_Connected 0x59881:$j: #=q 0x598b1:$j: #=q 0x598ed:$j: #=q 0x59915:$j: #=q 0x59945:$j: #=q 0x59975:$j: #=q 0x599a5:$j: #=q 0x599d5:$j: #=q 0x599f1:$j: #=q 0x59a21:$j: #=q
0000000E.00000002.403629575.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x694e1:$a1: NanoCore.ClientPluginHost 0x694a4:$a2: NanoCore.ClientPlugin 0x5adbb:$b1: get_BuilderSettings 0x69878:$b1: get_BuilderSettings 0x6952f:$b4: IClientAppHost 0x698e9:$b6: AddHostEntry 0x5ad2a:$b7: LogClientException 0x69958:$b7: LogClientException 0x698cd:$b8: PipeExists 0x6951c:$b9: IClientLoggingHost
Process Memory Space: cRC31pEDkr.exe PID: 4064	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x104621:$x1: NanoCore.ClientPluginHost 0x10465e:$x2: IClientNetworkHost 0x108146:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1131c4:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x11f2af:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1449e4:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: cRC31pEDkr.exe PID: 4064	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: cRC31pEDkr.exe PID: 4064	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: cRC31pEDkr.exe PID: 4064	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1042ee:$a: NanoCore 0x1042fe:$a: NanoCore 0x1043bd:$a: NanoCore 0x1043cc:$a: NanoCore 0x1045cd:$a: NanoCore 0x1045e1:$a: NanoCore 0x104621:$a: NanoCore 0x10f82e:$a: NanoCore 0x10f840:$a: NanoCore 0x10f87c:$a: NanoCore 0x11b919:$a: NanoCore 0x11b92b:$a: NanoCore 0x11b967:$a: NanoCore 0x14104e:$a: NanoCore 0x141060:$a: NanoCore 0x14109c:$a: NanoCore 0x10434d:$b: ClientPlugin 0x104416:$b: ClientPlugin 0x1045ea:$b: ClientPlugin 0x10462a:$b: ClientPlugin 0x10f849:$b: ClientPlugin
Process Memory Space: cRC31pEDkr.exe PID: 4064	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x104621:$a1: NanoCore.ClientPluginHost 0x1045e1:$a2: NanoCore.ClientPlugin 0x1064ef:$b1: get_BuilderSettings 0x1043a2:$b2: ClientLoaderForm.resources 0x105c0f:$b3: PluginCommand 0x104612:$b4: IClientAppHost 0x10ea3a:$b5: GetBlockHash 0x106b47:$b6: AddHostEntry 0x111c5e:$b6: AddHostEntry 0x11dd49:$b6: AddHostEntry 0x14347e:$b6: AddHostEntry 0x10a83a:$b7: LogClientException 0x11579f:$b7: LogClientException 0x12188a:$b7: LogClientException 0x146fbf:$b7: LogClientException 0x106ab4:$b8: PipeExists 0x111bd2:$b8: PipeExists 0x11dcbd:$b8: PipeExists 0x1433f2:$b8: PipeExists 0x10464b:$b9: IClientLoggingHost
Process Memory Space: KgZEfacljaFey.exe PID: 6040	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: cRC31pEDkr.exe PID: 1876	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: cRC31pEDkr.exe PID: 1876	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x14dc:$a: NanoCore 0x1538:$a: NanoCore 0x15ae:$a: NanoCore 0xbe02:$a: NanoCore 0xbe5b:$a: NanoCore 0xbe98:$a: NanoCore 0xbf11:$a: NanoCore 0xc7b5:$a: NanoCore 0xc808:$a: NanoCore 0xc841:$a: NanoCore 0xc8b4:$a: NanoCore 0x679c8:$a: NanoCore 0x679dc:$a: NanoCore 0x681ff:$a: NanoCore 0x70f50:$a: NanoCore 0x70f65:$a: NanoCore 0x70f9a:$a: NanoCore 0x7611c:$a: NanoCore 0x7612f:$a: NanoCore 0x76161:$a: NanoCore 0x7ef63:$a: NanoCore
Process Memory Space: cRC31pEDkr.exe PID: 1876	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xbe98:$a1: NanoCore.ClientPluginHost 0x70f9a:$a1: NanoCore.ClientPluginHost 0x7eff9:$a1: NanoCore.ClientPluginHost 0xbe5b:$a2: NanoCore.ClientPlugin 0x70f65:$a2: NanoCore.ClientPlugin 0x7efbc:$a2: NanoCore.ClientPlugin 0xc212:$b1: get_BuilderSettings 0x75d6c:$b1: get_BuilderSettings 0xbee6:$b4: IClientAppHost 0x7f047:$b4: IClientAppHost 0xc283:$b6: AddHostEntry 0xc2f2:$b7: LogClientException 0x75cdb:$b7: LogClientException 0xc267:$b8: PipeExists 0xbed3:$b9: IClientLoggingHost 0x70fb4:$b9: IClientLoggingHost 0x7f034:$b9: IClientLoggingHost
Process Memory Space: KgZEfacljaFey.exe PID: 5196	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1ba6:$x1: NanoCore.ClientPluginHost 0x3121f:$x1: NanoCore.ClientPluginHost 0x36258:$x1: NanoCore.ClientPluginHost 0x1bc0:$x2: IClientNetworkHost 0x31239:$x2: IClientNetworkHost 0x36295:$x2: IClientNetworkHost 0x39d86:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x44e0c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: KgZEfacljaFey.exe PID: 5196	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: KgZEfacljaFey.exe PID: 5196	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1b10:$a: NanoCore 0x1b69:$a: NanoCore 0x1ba6:$a: NanoCore 0x1c1f:$a: NanoCore 0x24d8:$a: NanoCore 0x252b:$a: NanoCore 0x2564:$a: NanoCore 0x25d7:$a: NanoCore 0x9ba9:$a: NanoCore 0x9bbc:$a: NanoCore 0x9bee:$a: NanoCore 0xf3bb:$a: NanoCore 0xf3ce:$a: NanoCore 0xf400:$a: NanoCore 0x1b524:$a: NanoCore 0x1b580:$a: NanoCore 0x1b5f4:$a: NanoCore 0x31189:$a: NanoCore 0x311e2:$a: NanoCore 0x3121f:$a: NanoCore 0x31298:$a: NanoCore
Process Memory Space: KgZEfacljaFey.exe PID: 5196	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1ba6:$a1: NanoCore.ClientPluginHost 0x3121f:$a1: NanoCore.ClientPluginHost 0x36258:$a1: NanoCore.ClientPluginHost 0x1b69:$a2: NanoCore.ClientPlugin 0x311e2:$a2: NanoCore.ClientPlugin 0x36218:$a2: NanoCore.ClientPlugin 0x1f20:$b1: get_BuilderSettings 0x2a452:$b1: get_BuilderSettings 0x3812f:$b1: get_BuilderSettings 0x35fd9:$b2: ClientLoaderForm.resources 0x3784f:$b3: PluginCommand 0x1bf4:$b4: IClientAppHost 0x3126d:$b4: IClientAppHost 0x36249:$b4: IClientAppHost 0x40682:$b5: GetBlockHash 0x1f91:$b6: AddHostEntry 0x31580:$b6: AddHostEntry 0x38787:$b6: AddHostEntry 0x438a6:$b6: AddHostEntry 0x2000:$b7: LogClientException 0x2a3c1:$b7: LogClientException
Click to see the 38 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.2.cRC31pEDkr.exe.5290000.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
10.2.cRC31pEDkr.exe.5290000.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
10.2.cRC31pEDkr.exe.5290000.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
10.2.cRC31pEDkr.exe.5290000.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
14.2.KgZEfacljaFey.exe.3b8ff64.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
14.2.KgZEfacljaFey.exe.3b8ff64.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
14.2.KgZEfacljaFey.exe.3b8ff64.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.KgZEfacljaFey.exe.3b8ff64.3.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
14.2.KgZEfacljaFey.exe.3b8ff64.3.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
10.2.cRC31pEDkr.exe.5a64629.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
10.2.cRC31pEDkr.exe.5a64629.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
10.2.cRC31pEDkr.exe.5a64629.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.2.cRC31pEDkr.exe.5a64629.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0xb165:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin 0xb158:$s1: ClientPlugin 0x10179:$s6: get_ClientSettings
10.2.cRC31pEDkr.exe.5a64629.4.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost
14.2.KgZEfacljaFey.exe.3b8b12e.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d09f:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d0cc:$x2: IClientNetworkHost
14.2.KgZEfacljaFey.exe.3b8b12e.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d09f:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e17a:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d0b9:$s5: IClientLoggingHost
14.2.KgZEfacljaFey.exe.3b8b12e.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.KgZEfacljaFey.exe.3b8b12e.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x145ae:$x2: NanoCore.ClientPlugin 0x2d06a:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x145e3:$x3: NanoCore.ClientPluginHost 0x2d09f:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0x145a2:$i2: IClientData 0x2d05e:$i2: IClientData 0xe29:$i3: IClientNetwork 0x145c4:$i3: IClientNetwork 0x2d080:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0x145d3:$i5: IClientDataHost 0x2d08f:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0x145fd:$i6: IClientLoggingHost 0x2d0b9:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost
14.2.KgZEfacljaFey.exe.3b8b12e.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d055:$a: NanoCore 0x2d06a:$a: NanoCore 0x2d09f:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2ce11:$b: ClientPlugin 0x2ce2c:$b: ClientPlugin
14.2.KgZEfacljaFey.exe.3b8b12e.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0x145e3:$a1: NanoCore.ClientPluginHost 0x2d09f:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x145ae:$a2: NanoCore.ClientPlugin 0x2d06a:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0x19529:$b1: get_BuilderSettings 0x31fe5:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x19498:$b7: LogClientException 0x31f54:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost 0x145fd:$b9: IClientLoggingHost 0x2d0b9:$b9: IClientLoggingHost
14.2.KgZEfacljaFey.exe.3b9458d.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x1: NanoCore.ClientPluginHost 0x23c40:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x23c6d:$x2: IClientNetworkHost
14.2.KgZEfacljaFey.exe.3b9458d.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x2: NanoCore.ClientPluginHost 0x23c40:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x24d1b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x23c5a:$s5: IClientLoggingHost
14.2.KgZEfacljaFey.exe.3b9458d.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.KgZEfacljaFey.exe.3b9458d.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0x23c0b:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0x23c40:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0x23bff:$i2: IClientData 0xb165:$i3: IClientNetwork 0x23c21:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0x23c30:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0x23c5a:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0x23c6d:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0x23c80:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0x23c8e:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0x23caa:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin
14.2.KgZEfacljaFey.exe.3b9458d.4.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0x23c40:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x23c0b:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x28b86:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0x28af5:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost 0x23c5a:$b9: IClientLoggingHost
14.2.KgZEfacljaFey.exe.2ba966c.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
14.2.KgZEfacljaFey.exe.2ba966c.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
14.2.KgZEfacljaFey.exe.2ba966c.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
14.2.KgZEfacljaFey.exe.2ba966c.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
0.2.cRC31pEDkr.exe.439fde0.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.cRC31pEDkr.exe.439fde0.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.cRC31pEDkr.exe.439fde0.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.cRC31pEDkr.exe.439fde0.3.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.cRC31pEDkr.exe.439fde0.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.cRC31pEDkr.exe.439fde0.3.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
10.2.cRC31pEDkr.exe.371b12e.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
10.2.cRC31pEDkr.exe.371b12e.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0xeb0:$s5: IClientLoggingHost
10.2.cRC31pEDkr.exe.371b12e.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xe41:$s1: ClientPlugin
10.2.cRC31pEDkr.exe.371b12e.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0xec3:$b4: IClientAppHost 0xeb0:$b9: IClientLoggingHost
0.2.cRC31pEDkr.exe.43d2800.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.cRC31pEDkr.exe.43d2800.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.cRC31pEDkr.exe.43d2800.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.cRC31pEDkr.exe.43d2800.4.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.cRC31pEDkr.exe.43d2800.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.cRC31pEDkr.exe.43d2800.4.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
14.2.KgZEfacljaFey.exe.3b8ff64.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28269:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x28296:$x2: IClientNetworkHost
14.2.KgZEfacljaFey.exe.3b8ff64.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28269:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29344:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x28283:$s5: IClientLoggingHost
14.2.KgZEfacljaFey.exe.3b8ff64.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.KgZEfacljaFey.exe.3b8ff64.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0x28234:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0x28269:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0x28228:$i2: IClientData 0xf78e:$i3: IClientNetwork 0x2824a:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0x28259:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0x28283:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0x28296:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0x282a9:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0x282b7:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0x282d3:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin
14.2.KgZEfacljaFey.exe.3b8ff64.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0x28269:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x28234:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x2d1af:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0x2d11e:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost 0x28283:$b9: IClientLoggingHost
10.2.cRC31pEDkr.exe.5a60000.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
10.2.cRC31pEDkr.exe.5a60000.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
10.2.cRC31pEDkr.exe.5a60000.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.2.cRC31pEDkr.exe.5a60000.5.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
10.2.cRC31pEDkr.exe.5a60000.5.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
10.2.cRC31pEDkr.exe.5a60000.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
10.2.cRC31pEDkr.exe.5a60000.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
10.2.cRC31pEDkr.exe.5a60000.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.2.cRC31pEDkr.exe.5a60000.5.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
10.2.cRC31pEDkr.exe.5a60000.5.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
14.2.KgZEfacljaFey.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.KgZEfacljaFey.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.2.KgZEfacljaFey.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.KgZEfacljaFey.exe.400000.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
14.2.KgZEfacljaFey.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.2.KgZEfacljaFey.exe.400000.0.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
0.2.cRC31pEDkr.exe.32981e4.0.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.cRC31pEDkr.exe.32981e4.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x10376:$v1: SbieDll.dll 0x10390:$v2: USER 0x1039c:$v3: SANDBOX 0x103ae:$v4: VIRUS 0x103fe:$v4: VIRUS 0x103bc:$v5: MALWARE 0x103ce:$v6: SCHMIDTI 0x103e2:$v7: CURRENTUSER
10.2.cRC31pEDkr.exe.27062c4.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
10.2.cRC31pEDkr.exe.27062c4.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
10.2.cRC31pEDkr.exe.27062c4.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
0.2.cRC31pEDkr.exe.32731c8.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.cRC31pEDkr.exe.32731c8.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x35392:$v1: SbieDll.dll 0x353ac:$v2: USER 0x353b8:$v3: SANDBOX 0x353ca:$v4: VIRUS 0x3541a:$v4: VIRUS 0x353d8:$v5: MALWARE 0x353ea:$v6: SCHMIDTI 0x353fe:$v7: CURRENTUSER
0.2.cRC31pEDkr.exe.43d2800.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x11c43d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x11c47a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x11ffad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.cRC31pEDkr.exe.43d2800.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.cRC31pEDkr.exe.43d2800.4.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.cRC31pEDkr.exe.43d2800.4.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x6478f:$s1: file:/// 0xd2daf:$s1: file:/// 0x6469f:$s2: {11111-22222-10009-11112} 0xd2cbf:$s2: {11111-22222-10009-11112} 0x6471f:$s3: {11111-22222-50001-00000} 0xd2d3f:$s3: {11111-22222-50001-00000} 0x63895:$s4: get_Module 0xd1eb5:$s4: get_Module 0x63c10:$s5: Reverse 0xd2230:$s5: Reverse 0x1af6f:$s6: BlockCopy 0x5f185:$s6: BlockCopy 0xcd7a5:$s6: BlockCopy 0x12721f:$s6: BlockCopy 0x1af66:$s7: ReadByte 0x127216:$s7: ReadByte 0x647a1:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ... 0xd2dc1:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.cRC31pEDkr.exe.43d2800.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x11c1a5:$x1: NanoCore Client 0x11c1b5:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x11c3fd:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x11c43d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x11c3f2:$i1: IClientApp 0x10163:$i2: IClientData 0x11c413:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x11c41f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x11c42e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x11c457:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x11c467:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost
0.2.cRC31pEDkr.exe.43d2800.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x11c1a5:$a: NanoCore 0x11c1b5:$a: NanoCore 0x11c3e9:$a: NanoCore 0x11c3fd:$a: NanoCore 0x11c43d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x11c204:$b: ClientPlugin 0x11c406:$b: ClientPlugin 0x11c446:$b: ClientPlugin 0x1007b:$c: ProjectData 0x5ebdf:$c: ProjectData 0xcd1ff:$c: ProjectData 0x11c32b:$c: ProjectData 0x10a82:$d: DESCrypto
0.2.cRC31pEDkr.exe.43d2800.4.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x11c43d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x11c3fd:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0x11e356:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x11c259:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x11da76:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x11c42e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x1268ae:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x11e9ae:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1226a1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x11e91b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
0.2.cRC31pEDkr.exe.436a5c0.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x459ad:$x1: NanoCore.ClientPluginHost 0x783cd:$x1: NanoCore.ClientPluginHost 0x18467d:$x1: NanoCore.ClientPluginHost 0x459ea:$x2: IClientNetworkHost 0x7840a:$x2: IClientNetworkHost 0x1846ba:$x2: IClientNetworkHost 0x4951d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7bf3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1881ed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.cRC31pEDkr.exe.436a5c0.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.cRC31pEDkr.exe.436a5c0.5.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.cRC31pEDkr.exe.436a5c0.5.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xcc9cf:$s1: file:/// 0x13afef:$s1: file:/// 0xcc8df:$s2: {11111-22222-10009-11112} 0x13aeff:$s2: {11111-22222-10009-11112} 0xcc95f:$s3: {11111-22222-50001-00000} 0x13af7f:$s3: {11111-22222-50001-00000} 0xcbad5:$s4: get_Module 0x13a0f5:$s4: get_Module 0xcbe50:$s5: Reverse 0x13a470:$s5: Reverse 0x5078f:$s6: BlockCopy 0x831af:$s6: BlockCopy 0xc73c5:$s6: BlockCopy 0x1359e5:$s6: BlockCopy 0x18f45f:$s6: BlockCopy 0x50786:$s7: ReadByte 0x831a6:$s7: ReadByte 0x18f456:$s7: ReadByte 0xcc9e1:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ... 0x13b001:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.cRC31pEDkr.exe.436a5c0.5.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x45715:$x1: NanoCore Client 0x45725:$x1: NanoCore Client 0x78135:$x1: NanoCore Client 0x78145:$x1: NanoCore Client 0x1843e5:$x1: NanoCore Client 0x1843f5:$x1: NanoCore Client 0x4596d:$x2: NanoCore.ClientPlugin 0x7838d:$x2: NanoCore.ClientPlugin 0x18463d:$x2: NanoCore.ClientPlugin 0x459ad:$x3: NanoCore.ClientPluginHost 0x783cd:$x3: NanoCore.ClientPluginHost 0x18467d:$x3: NanoCore.ClientPluginHost 0x45962:$i1: IClientApp 0x78382:$i1: IClientApp 0x184632:$i1: IClientApp 0x45983:$i2: IClientData 0x783a3:$i2: IClientData 0x184653:$i2: IClientData 0x4598f:$i3: IClientNetwork 0x783af:$i3: IClientNetwork 0x18465f:$i3: IClientNetwork
0.2.cRC31pEDkr.exe.436a5c0.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x45715:$a: NanoCore 0x45725:$a: NanoCore 0x45959:$a: NanoCore 0x4596d:$a: NanoCore 0x459ad:$a: NanoCore 0x78135:$a: NanoCore 0x78145:$a: NanoCore 0x78379:$a: NanoCore 0x7838d:$a: NanoCore 0x783cd:$a: NanoCore 0x1843e5:$a: NanoCore 0x1843f5:$a: NanoCore 0x184629:$a: NanoCore 0x18463d:$a: NanoCore 0x18467d:$a: NanoCore 0x45774:$b: ClientPlugin 0x45976:$b: ClientPlugin 0x459b6:$b: ClientPlugin 0x78194:$b: ClientPlugin 0x78396:$b: ClientPlugin 0x783d6:$b: ClientPlugin
0.2.cRC31pEDkr.exe.436a5c0.5.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x459ad:$a1: NanoCore.ClientPluginHost 0x783cd:$a1: NanoCore.ClientPluginHost 0x18467d:$a1: NanoCore.ClientPluginHost 0x4596d:$a2: NanoCore.ClientPlugin 0x7838d:$a2: NanoCore.ClientPlugin 0x18463d:$a2: NanoCore.ClientPlugin 0x478c6:$b1: get_BuilderSettings 0x7a2e6:$b1: get_BuilderSettings 0x186596:$b1: get_BuilderSettings 0x457c9:$b2: ClientLoaderForm.resources 0x781e9:$b2: ClientLoaderForm.resources 0x184499:$b2: ClientLoaderForm.resources 0x46fe6:$b3: PluginCommand 0x79a06:$b3: PluginCommand 0x185cb6:$b3: PluginCommand 0x4599e:$b4: IClientAppHost 0x783be:$b4: IClientAppHost 0x18466e:$b4: IClientAppHost 0x4fe1e:$b5: GetBlockHash 0x8283e:$b5: GetBlockHash 0x18eaee:$b5: GetBlockHash
7.2.KgZEfacljaFey.exe.2c93208.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
7.2.KgZEfacljaFey.exe.2c93208.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x35392:$v1: SbieDll.dll 0x353ac:$v2: USER 0x353b8:$v3: SANDBOX 0x353ca:$v4: VIRUS 0x3541a:$v4: VIRUS 0x353d8:$v5: MALWARE 0x353ea:$v6: SCHMIDTI 0x353fe:$v7: CURRENTUSER
7.2.KgZEfacljaFey.exe.2cb8224.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
7.2.KgZEfacljaFey.exe.2cb8224.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x10376:$v1: SbieDll.dll 0x10390:$v2: USER 0x1039c:$v3: SANDBOX 0x103ae:$v4: VIRUS 0x103fe:$v4: VIRUS 0x103bc:$v5: MALWARE 0x103ce:$v6: SCHMIDTI 0x103e2:$v7: CURRENTUSER
0.2.cRC31pEDkr.exe.439fde0.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x14ee5d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x14ee9a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1529cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.cRC31pEDkr.exe.439fde0.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.cRC31pEDkr.exe.439fde0.3.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.cRC31pEDkr.exe.439fde0.3.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x971af:$s1: file:/// 0x1057cf:$s1: file:/// 0x970bf:$s2: {11111-22222-10009-11112} 0x1056df:$s2: {11111-22222-10009-11112} 0x9713f:$s3: {11111-22222-50001-00000} 0x10575f:$s3: {11111-22222-50001-00000} 0x962b5:$s4: get_Module 0x1048d5:$s4: get_Module 0x96630:$s5: Reverse 0x104c50:$s5: Reverse 0x1af6f:$s6: BlockCopy 0x4d98f:$s6: BlockCopy 0x91ba5:$s6: BlockCopy 0x1001c5:$s6: BlockCopy 0x159c3f:$s6: BlockCopy 0x1af66:$s7: ReadByte 0x4d986:$s7: ReadByte 0x159c36:$s7: ReadByte 0x971c1:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ... 0x1057e1:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.cRC31pEDkr.exe.439fde0.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x42915:$x1: NanoCore Client 0x42925:$x1: NanoCore Client 0x14ebc5:$x1: NanoCore Client 0x14ebd5:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x42b6d:$x2: NanoCore.ClientPlugin 0x14ee1d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x42bad:$x3: NanoCore.ClientPluginHost 0x14ee5d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x42b62:$i1: IClientApp 0x14ee12:$i1: IClientApp 0x10163:$i2: IClientData 0x42b83:$i2: IClientData 0x14ee33:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x42b8f:$i3: IClientNetwork 0x14ee3f:$i3: IClientNetwork
0.2.cRC31pEDkr.exe.439fde0.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0x14ebc5:$a: NanoCore 0x14ebd5:$a: NanoCore 0x14ee09:$a: NanoCore 0x14ee1d:$a: NanoCore 0x14ee5d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin
0.2.cRC31pEDkr.exe.439fde0.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x42bad:$a1: NanoCore.ClientPluginHost 0x14ee5d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x42b6d:$a2: NanoCore.ClientPlugin 0x14ee1d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0x44ac6:$b1: get_BuilderSettings 0x150d76:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x429c9:$b2: ClientLoaderForm.resources 0x14ec79:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x441e6:$b3: PluginCommand 0x150496:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x42b9e:$b4: IClientAppHost 0x14ee4e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x4d01e:$b5: GetBlockHash 0x1592ce:$b5: GetBlockHash
Click to see the 93 entries

Sigma Signatures

AV Detection

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\cRC31pEDkr.exe, ProcessId: 1876, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\cRC31pEDkr.exe, ProcessId: 1876, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KgZEfacljaFey" /XML "C:\Users\user\AppData\Local\Temp\tmp5E04.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KgZEfacljaFey" /XML "C:\Users\user\AppData\Local\Temp\tmp5E04.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\cRC31pEDkr.exe, ParentImage: C:\Users\user\Desktop\cRC31pEDkr.exe, ParentProcessId: 4064, ParentProcessName: cRC31pEDkr.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KgZEfacljaFey" /XML "C:\Users\user\AppData\Local\Temp\tmp5E04.tmp, ProcessId: 4724, ProcessName: schtasks.exe

Stealing of Sensitive Information

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\cRC31pEDkr.exe, ProcessId: 1876, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Remote Access Functionality

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\cRC31pEDkr.exe, ProcessId: 1876, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: cRC31pEDkr.exe	ReversingLabs: Detection: 66%
Source: cRC31pEDkr.exe	Virustotal: Detection: 58%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe

ReversingLabs: Detection: 66%

Yara detected Nanocore RAT

Source: Yara match	File source: 14.2.KgZEfacljaFey.exe.3b8ff64.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cRC31pEDkr.exe.5a64629.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.KgZEfacljaFey.exe.3b8b12e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.KgZEfacljaFey.exe.3b9458d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.439fde0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.43d2800.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.KgZEfacljaFey.exe.3b8ff64.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cRC31pEDkr.exe.5a60000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cRC31pEDkr.exe.5a60000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.KgZEfacljaFey.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.43d2800.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.436a5c0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.439fde0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.404051124.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.562803290.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.401166525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.350028595.000000000436A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.403629575.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cRC31pEDkr.exe PID: 4064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cRC31pEDkr.exe PID: 1876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: KgZEfacljaFey.exe PID: 5196, type: MEMORYSTR

Machine Learning detection for sample

Source: cRC31pEDkr.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe

Joe Sandbox ML: detected

Source: 10.2.cRC31pEDkr.exe.5a60000.5.unpack	Avira: Label: TR/NanoCore.fadte
Source: 14.2.KgZEfacljaFey.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: 0000000E.00000002.404051124.0000000003B49000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "e971e6b5-1c8b-4bb4-a1a3-7f94e076", "Group": "Ebube", "Domain1": "elzy.ddns.net", "Domain2": "127.0.0.1", "Port": 2000, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Source: cRC31pEDkr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: cRC31pEDkr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: elzy.ddns.net
Source: Malware configuration extractor	URLs: 127.0.0.1

Uses dynamic DNS services

Source: unknown

DNS query: name: elzy.ddns.net

Source: Joe Sandbox View

ASN Name: DANILENKODE DANILENKODE

Source: global traffic

TCP traffic: 192.168.2.5:49701 -> 194.5.98.22:2000

Source: cRC31pEDkr.exe, 00000000.00000003.297044710.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296998530.00000000061B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://en.w
Source: cRC31pEDkr.exe, 00000000.00000003.296795116.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296850779.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296828770.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296726022.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: cRC31pEDkr.exe, 00000000.00000003.296893411.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296871633.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296944042.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296795116.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296850779.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296915043.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296828770.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296755309.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296778637.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com(
Source: cRC31pEDkr.exe, 00000000.00000003.296795116.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296778637.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.comV
Source: cRC31pEDkr.exe, 00000000.00000002.345847320.0000000003251000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000002.345847320.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, KgZEfacljaFey.exe, 00000007.00000002.388126518.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, KgZEfacljaFey.exe, 00000007.00000002.388126518.0000000002EED000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 0000000A.00000002.562803290.00000000026D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: cRC31pEDkr.exe, 00000000.00000003.312291594.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.312434363.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.agfamonotype.:
Source: cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299194871.00000000061AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: cRC31pEDkr.exe, 00000000.00000003.301785059.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301845055.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301752812.00000000061B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: cRC31pEDkr.exe, 00000000.00000003.299661403.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299622371.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299398041.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300300850.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299487627.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300199248.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299442136.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299700076.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299806283.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299958934.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300143320.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299958934.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com.
Source: cRC31pEDkr.exe, 00000000.00000003.299661403.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299622371.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299398041.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299487627.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299442136.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299700076.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299806283.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com/
Source: cRC31pEDkr.exe, 00000000.00000003.300143320.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comTC
Source: cRC31pEDkr.exe, 00000000.00000003.300199248.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300143320.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comTCO
Source: cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299700076.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299806283.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299958934.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comUI
Source: cRC31pEDkr.exe, 00000000.00000003.300199248.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299806283.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299958934.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300143320.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comX
Source: cRC31pEDkr.exe, 00000000.00000003.299661403.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299622371.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299487627.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299700076.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299806283.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299958934.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comgU
Source: cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299958934.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comiE
Source: cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299958934.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.como.
Source: cRC31pEDkr.exe, 00000000.00000003.299661403.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299622371.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300300850.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299487627.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300199248.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299442136.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299700076.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299806283.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299958934.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300143320.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.como.T
Source: cRC31pEDkr.exe, 00000000.00000003.300199248.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300143320.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comorm
Source: cRC31pEDkr.exe, 00000000.00000003.306651559.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306012535.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306765652.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304421291.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306221985.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304353505.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304556150.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305962193.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305830017.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306335557.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306899940.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305910322.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306141858.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304597500.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306566595.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304305637.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304506350.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306708081.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306063064.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: cRC31pEDkr.exe, 00000000.00000003.304695105.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304762717.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: cRC31pEDkr.exe, 00000000.00000003.304305637.00000000061BB000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304305637.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: cRC31pEDkr.exe, 00000000.00000003.305229705.00000000061C3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305432351.00000000061C3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305570163.00000000061C3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305615259.00000000061C3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305068245.00000000061C4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305000246.00000000061C3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305285674.00000000061C3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305526668.00000000061C3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305173293.00000000061C3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305483804.00000000061C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmld.
Source: cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: cRC31pEDkr.exe, 00000000.00000003.304353505.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersL
Source: cRC31pEDkr.exe, 00000000.00000003.304353505.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersn
Source: cRC31pEDkr.exe, 00000000.00000003.304597500.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersx
Source: cRC31pEDkr.exe, 00000000.00000003.306651559.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305285674.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306012535.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305615259.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306765652.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305740219.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306221985.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305962193.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305830017.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306335557.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305783137.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305570163.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305229705.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305910322.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306141858.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305173293.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306566595.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305068245.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306708081.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305432351.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305703104.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com9
Source: cRC31pEDkr.exe, 00000000.00000003.305285674.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305000246.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305229705.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305173293.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305068245.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305432351.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305526668.00000000061B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com=
Source: cRC31pEDkr.exe, 00000000.00000003.304814982.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306651559.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305285674.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306012535.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305615259.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306765652.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305740219.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305000246.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306221985.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305962193.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305830017.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306335557.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305783137.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305570163.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305229705.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306899940.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305910322.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306141858.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304911562.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305173293.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306566595.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: cRC31pEDkr.exe, 00000000.00000003.313368578.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313245718.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.312989584.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313086465.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313567844.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313446406.00000000061AF000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000002.355271792.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comF:
Source: cRC31pEDkr.exe, 00000000.00000003.306141858.00000000061B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comFB
Source: cRC31pEDkr.exe, 00000000.00000003.306651559.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306012535.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306765652.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305740219.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306221985.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305962193.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305830017.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306335557.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305783137.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305910322.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306141858.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306566595.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306708081.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306063064.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comI.TTF
Source: cRC31pEDkr.exe, 00000000.00000003.305962193.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305910322.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comalicB
Source: cRC31pEDkr.exe, 00000000.00000003.305830017.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305910322.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comals
Source: cRC31pEDkr.exe, 00000000.00000003.306651559.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306765652.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306221985.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306335557.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306899940.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306566595.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306708081.00000000061B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comcomFB
Source: cRC31pEDkr.exe, 00000000.00000003.305285674.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305615259.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305740219.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305570163.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305229705.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305173293.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305068245.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305432351.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305703104.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305526668.00000000061B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comcomd
Source: cRC31pEDkr.exe, 00000000.00000003.304814982.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305285674.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305615259.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305740219.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305000246.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304556150.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305570163.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305229705.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304597500.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304911562.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305173293.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305068245.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304695105.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304762717.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305432351.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305703104.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305526668.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304864258.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comd
Source: cRC31pEDkr.exe, 00000000.00000003.304814982.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305285674.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305000246.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305229705.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304911562.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305173293.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305068245.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304695105.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304762717.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305432351.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305526668.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304864258.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comdfet
Source: cRC31pEDkr.exe, 00000000.00000003.313368578.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313245718.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313086465.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313567844.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313446406.00000000061AF000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000002.355271792.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.come.com
Source: cRC31pEDkr.exe, 00000000.00000003.313368578.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313245718.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.312989584.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313086465.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313567844.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313446406.00000000061AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comgreta
Source: cRC31pEDkr.exe, 00000000.00000003.306651559.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306765652.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306221985.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306335557.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.307034097.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306899940.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.307202697.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306566595.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.307122475.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306708081.00000000061B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comk:
Source: cRC31pEDkr.exe, 00000000.00000003.304353505.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comonyo
Source: cRC31pEDkr.exe, 00000000.00000003.306651559.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306765652.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306221985.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306335557.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306141858.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306566595.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306708081.00000000061B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comsivdo
Source: cRC31pEDkr.exe, 00000000.00000003.304305637.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comsivr
Source: cRC31pEDkr.exe, 00000000.00000003.304814982.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305285674.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305615259.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305000246.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305570163.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305229705.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304597500.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304911562.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305173293.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305068245.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304695105.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304762717.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305432351.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305703104.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305526668.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304864258.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comtur
Source: cRC31pEDkr.exe, 00000000.00000003.313368578.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313245718.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313086465.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313446406.00000000061AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comuB
Source: cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: cRC31pEDkr.exe, 00000000.00000003.298437658.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298515941.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298663743.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298492392.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: cRC31pEDkr.exe, 00000000.00000003.298728068.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299661403.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299274112.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299622371.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299398041.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300300850.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298967599.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298859286.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299487627.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298515941.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300199248.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299442136.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299115455.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299194871.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299700076.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299806283.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299958934.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298663743.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298929001.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn%
Source: cRC31pEDkr.exe, 00000000.00000003.298215222.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298249561.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298663743.00000000061B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: cRC31pEDkr.exe, 00000000.00000003.298728068.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299661403.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299274112.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299622371.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299398041.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300300850.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298967599.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298859286.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299487627.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298515941.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300199248.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299442136.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299115455.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299194871.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299700076.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299806283.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299958934.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298663743.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298929001.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/H
Source: cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: cRC31pEDkr.exe, 00000000.00000003.298728068.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298967599.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298859286.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298663743.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298929001.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/pa
Source: cRC31pEDkr.exe, 00000000.00000003.298728068.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298967599.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298859286.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298515941.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299115455.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298663743.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298929001.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnalg
Source: cRC31pEDkr.exe, 00000000.00000003.298437658.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298492392.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnp
Source: cRC31pEDkr.exe, 00000000.00000003.308327351.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.308403894.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.308132703.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.308242645.00000000061B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: cRC31pEDkr.exe, 00000000.00000003.308132703.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/q
Source: cRC31pEDkr.exe, 00000000.00000003.308242645.00000000061B1000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.309287347.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.309054521.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: cRC31pEDkr.exe, 00000000.00000003.301430204.00000000061AF000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301752812.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301721227.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301955327.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302344077.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302191536.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: cRC31pEDkr.exe, 00000000.00000003.301490267.00000000061B0000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301430204.00000000061AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/B
Source: cRC31pEDkr.exe, 00000000.00000003.301234096.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301785059.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301578884.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302112307.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301845055.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301752812.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301721227.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301955327.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302191536.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/K
Source: cRC31pEDkr.exe, 00000000.00000003.301578884.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301490267.00000000061B0000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301430204.00000000061AF000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301752812.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301721227.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0;
Source: cRC31pEDkr.exe, 00000000.00000003.301234096.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0MSB
Source: cRC31pEDkr.exe, 00000000.00000003.302191536.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: cRC31pEDkr.exe, 00000000.00000003.301785059.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301578884.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302112307.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301845055.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301752812.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301721227.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301955327.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302191536.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/B
Source: cRC31pEDkr.exe, 00000000.00000003.301490267.00000000061B0000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301430204.00000000061AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/K
Source: cRC31pEDkr.exe, 00000000.00000003.304174210.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304255888.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302711504.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302453010.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.303976325.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301785059.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.303455893.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302393161.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302254936.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.303356467.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304105124.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301578884.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302112307.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302841481.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301490267.00000000061B0000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302937899.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301845055.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.303747330.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302501034.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302640559.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.303072404.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Y
Source: cRC31pEDkr.exe, 00000000.00000003.301785059.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301578884.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302112307.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301845055.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301752812.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301721227.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301955327.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302191536.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/o
Source: cRC31pEDkr.exe, 00000000.00000003.302453010.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301785059.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302393161.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302254936.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301578884.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302112307.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301490267.00000000061B0000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301845055.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302501034.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301752812.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301721227.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301955327.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302344077.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302191536.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/s_tr
Source: cRC31pEDkr.exe, 00000000.00000003.301578884.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301490267.00000000061B0000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301430204.00000000061AF000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301752812.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301721227.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/t
Source: cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.295924683.0000000006192000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: cRC31pEDkr.exe, 00000000.00000003.295924683.0000000006192000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com.I
Source: cRC31pEDkr.exe, 00000000.00000003.295924683.0000000006192000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.comb-n
Source: cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: cRC31pEDkr.exe, 00000000.00000003.298180772.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298129567.00000000061AF000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298291425.00000000061B0000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298215222.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298249561.00000000061B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: cRC31pEDkr.exe, 00000000.00000003.298180772.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298215222.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.krUN.TTFq
Source: cRC31pEDkr.exe, 00000000.00000003.298180772.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298129567.00000000061AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.krs-c
Source: cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298929001.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299081793.000000000187C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: cRC31pEDkr.exe, 00000000.00000003.299081793.000000000187C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com(T
Source: cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: cRC31pEDkr.exe, 00000000.00000003.299274112.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299398041.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299487627.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299442136.00000000061B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: cRC31pEDkr.exe, 00000000.00000003.299274112.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn%I
Source: cRC31pEDkr.exe, 00000000.00000003.299661403.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299274112.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299622371.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299398041.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299487627.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299442136.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299700076.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299806283.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299958934.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnF
Source: cRC31pEDkr.exe, 00000000.00000003.299661403.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299274112.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299622371.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299398041.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299487627.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299442136.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299700076.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299806283.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnai

Source: unknown

DNS traffic detected: queries for: elzy.ddns.net

Source: cRC31pEDkr.exe, 0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 14.2.KgZEfacljaFey.exe.3b8ff64.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cRC31pEDkr.exe.5a64629.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.KgZEfacljaFey.exe.3b8b12e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.KgZEfacljaFey.exe.3b9458d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.439fde0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.43d2800.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.KgZEfacljaFey.exe.3b8ff64.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cRC31pEDkr.exe.5a60000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cRC31pEDkr.exe.5a60000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.KgZEfacljaFey.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.43d2800.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.436a5c0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.439fde0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.404051124.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.562803290.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.401166525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.350028595.000000000436A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.403629575.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cRC31pEDkr.exe PID: 4064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cRC31pEDkr.exe PID: 1876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: KgZEfacljaFey.exe PID: 5196, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.2.cRC31pEDkr.exe.5290000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 10.2.cRC31pEDkr.exe.5290000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 10.2.cRC31pEDkr.exe.5290000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 14.2.KgZEfacljaFey.exe.3b8ff64.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 14.2.KgZEfacljaFey.exe.3b8ff64.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.KgZEfacljaFey.exe.3b8ff64.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 10.2.cRC31pEDkr.exe.5a64629.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 10.2.cRC31pEDkr.exe.5a64629.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 10.2.cRC31pEDkr.exe.5a64629.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 14.2.KgZEfacljaFey.exe.3b8b12e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 14.2.KgZEfacljaFey.exe.3b8b12e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.KgZEfacljaFey.exe.3b8b12e.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.KgZEfacljaFey.exe.3b8b12e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 14.2.KgZEfacljaFey.exe.3b9458d.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 14.2.KgZEfacljaFey.exe.3b9458d.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.KgZEfacljaFey.exe.3b9458d.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 14.2.KgZEfacljaFey.exe.2ba966c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 14.2.KgZEfacljaFey.exe.2ba966c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.KgZEfacljaFey.exe.2ba966c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.cRC31pEDkr.exe.439fde0.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.cRC31pEDkr.exe.439fde0.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.cRC31pEDkr.exe.439fde0.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.cRC31pEDkr.exe.439fde0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 10.2.cRC31pEDkr.exe.371b12e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 10.2.cRC31pEDkr.exe.371b12e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 10.2.cRC31pEDkr.exe.371b12e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.cRC31pEDkr.exe.43d2800.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.cRC31pEDkr.exe.43d2800.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.cRC31pEDkr.exe.43d2800.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.cRC31pEDkr.exe.43d2800.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 14.2.KgZEfacljaFey.exe.3b8ff64.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 14.2.KgZEfacljaFey.exe.3b8ff64.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.KgZEfacljaFey.exe.3b8ff64.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 10.2.cRC31pEDkr.exe.5a60000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 10.2.cRC31pEDkr.exe.5a60000.5.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 10.2.cRC31pEDkr.exe.5a60000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 10.2.cRC31pEDkr.exe.5a60000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 10.2.cRC31pEDkr.exe.5a60000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 10.2.cRC31pEDkr.exe.5a60000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 14.2.KgZEfacljaFey.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 14.2.KgZEfacljaFey.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.KgZEfacljaFey.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.KgZEfacljaFey.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.cRC31pEDkr.exe.32981e4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 10.2.cRC31pEDkr.exe.27062c4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 10.2.cRC31pEDkr.exe.27062c4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 10.2.cRC31pEDkr.exe.27062c4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.cRC31pEDkr.exe.32731c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.cRC31pEDkr.exe.43d2800.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.cRC31pEDkr.exe.43d2800.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.cRC31pEDkr.exe.43d2800.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.cRC31pEDkr.exe.43d2800.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.cRC31pEDkr.exe.43d2800.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.cRC31pEDkr.exe.436a5c0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.cRC31pEDkr.exe.436a5c0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.cRC31pEDkr.exe.436a5c0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.cRC31pEDkr.exe.436a5c0.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.cRC31pEDkr.exe.436a5c0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.2.KgZEfacljaFey.exe.2c93208.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 7.2.KgZEfacljaFey.exe.2cb8224.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.cRC31pEDkr.exe.439fde0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.cRC31pEDkr.exe.439fde0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.cRC31pEDkr.exe.439fde0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.cRC31pEDkr.exe.439fde0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.cRC31pEDkr.exe.439fde0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000E.00000002.404051124.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.404051124.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000A.00000002.562803290.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000A.00000002.567364411.0000000005290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000A.00000002.567364411.0000000005290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000A.00000002.567364411.0000000005290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000E.00000002.401166525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000E.00000002.401166525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.401166525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.350028595.000000000436A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000000.00000002.350028595.000000000436A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.350028595.000000000436A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000A.00000002.566234207.000000000371B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000E.00000002.403629575.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.403629575.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: cRC31pEDkr.exe PID: 4064, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: cRC31pEDkr.exe PID: 4064, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: cRC31pEDkr.exe PID: 4064, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: cRC31pEDkr.exe PID: 1876, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: cRC31pEDkr.exe PID: 1876, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: KgZEfacljaFey.exe PID: 5196, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: KgZEfacljaFey.exe PID: 5196, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: KgZEfacljaFey.exe PID: 5196, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown

Source: cRC31pEDkr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 10.2.cRC31pEDkr.exe.5290000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.cRC31pEDkr.exe.5290000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.cRC31pEDkr.exe.5290000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 10.2.cRC31pEDkr.exe.5290000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 14.2.KgZEfacljaFey.exe.3b8ff64.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.KgZEfacljaFey.exe.3b8ff64.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.KgZEfacljaFey.exe.3b8ff64.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.KgZEfacljaFey.exe.3b8ff64.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 10.2.cRC31pEDkr.exe.5a64629.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.cRC31pEDkr.exe.5a64629.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.cRC31pEDkr.exe.5a64629.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 10.2.cRC31pEDkr.exe.5a64629.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 14.2.KgZEfacljaFey.exe.3b8b12e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.KgZEfacljaFey.exe.3b8b12e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.KgZEfacljaFey.exe.3b8b12e.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.KgZEfacljaFey.exe.3b8b12e.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.KgZEfacljaFey.exe.3b8b12e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 14.2.KgZEfacljaFey.exe.3b9458d.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.KgZEfacljaFey.exe.3b9458d.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.KgZEfacljaFey.exe.3b9458d.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.KgZEfacljaFey.exe.3b9458d.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 14.2.KgZEfacljaFey.exe.2ba966c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.KgZEfacljaFey.exe.2ba966c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.KgZEfacljaFey.exe.2ba966c.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.KgZEfacljaFey.exe.2ba966c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.cRC31pEDkr.exe.439fde0.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.cRC31pEDkr.exe.439fde0.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.cRC31pEDkr.exe.439fde0.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.cRC31pEDkr.exe.439fde0.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.cRC31pEDkr.exe.439fde0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 10.2.cRC31pEDkr.exe.371b12e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.cRC31pEDkr.exe.371b12e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.cRC31pEDkr.exe.371b12e.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 10.2.cRC31pEDkr.exe.371b12e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.cRC31pEDkr.exe.43d2800.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.cRC31pEDkr.exe.43d2800.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.cRC31pEDkr.exe.43d2800.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.cRC31pEDkr.exe.43d2800.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.cRC31pEDkr.exe.43d2800.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 14.2.KgZEfacljaFey.exe.3b8ff64.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.KgZEfacljaFey.exe.3b8ff64.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.KgZEfacljaFey.exe.3b8ff64.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.KgZEfacljaFey.exe.3b8ff64.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 10.2.cRC31pEDkr.exe.5a60000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.cRC31pEDkr.exe.5a60000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.cRC31pEDkr.exe.5a60000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 10.2.cRC31pEDkr.exe.5a60000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 10.2.cRC31pEDkr.exe.5a60000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.cRC31pEDkr.exe.5a60000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.cRC31pEDkr.exe.5a60000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 10.2.cRC31pEDkr.exe.5a60000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 14.2.KgZEfacljaFey.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.KgZEfacljaFey.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.KgZEfacljaFey.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.KgZEfacljaFey.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.KgZEfacljaFey.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.cRC31pEDkr.exe.32981e4.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 10.2.cRC31pEDkr.exe.27062c4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.cRC31pEDkr.exe.27062c4.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 10.2.cRC31pEDkr.exe.27062c4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.cRC31pEDkr.exe.32731c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.cRC31pEDkr.exe.43d2800.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.cRC31pEDkr.exe.43d2800.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.cRC31pEDkr.exe.43d2800.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.cRC31pEDkr.exe.43d2800.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.cRC31pEDkr.exe.43d2800.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.cRC31pEDkr.exe.436a5c0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.cRC31pEDkr.exe.436a5c0.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.cRC31pEDkr.exe.436a5c0.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.cRC31pEDkr.exe.436a5c0.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.cRC31pEDkr.exe.436a5c0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.2.KgZEfacljaFey.exe.2c93208.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 7.2.KgZEfacljaFey.exe.2cb8224.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.cRC31pEDkr.exe.439fde0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.cRC31pEDkr.exe.439fde0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.cRC31pEDkr.exe.439fde0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.cRC31pEDkr.exe.439fde0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.cRC31pEDkr.exe.439fde0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000E.00000002.404051124.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.404051124.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000A.00000002.562803290.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000A.00000002.567364411.0000000005290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000A.00000002.567364411.0000000005290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000A.00000002.567364411.0000000005290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000A.00000002.567364411.0000000005290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000E.00000002.401166525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000E.00000002.401166525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.401166525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.350028595.000000000436A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.350028595.000000000436A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.350028595.000000000436A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000A.00000002.566234207.000000000371B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000E.00000002.403629575.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.403629575.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: cRC31pEDkr.exe PID: 4064, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: cRC31pEDkr.exe PID: 4064, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: cRC31pEDkr.exe PID: 4064, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: cRC31pEDkr.exe PID: 1876, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: cRC31pEDkr.exe PID: 1876, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: KgZEfacljaFey.exe PID: 5196, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: KgZEfacljaFey.exe PID: 5196, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: KgZEfacljaFey.exe PID: 5196, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 0_2_030CC77C	0_2_030CC77C
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 0_2_030CE823	0_2_030CE823
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 0_2_030CE830	0_2_030CE830
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 0_2_07BF0006	0_2_07BF0006
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 0_2_07BF0040	0_2_07BF0040
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 0_2_07ED0040	0_2_07ED0040
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 0_2_07ED0006	0_2_07ED0006
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Code function: 7_2_0127C77C	7_2_0127C77C
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Code function: 7_2_0127E822	7_2_0127E822
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Code function: 7_2_0127E830	7_2_0127E830
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Code function: 7_2_052A4BE8	7_2_052A4BE8
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Code function: 7_2_052A4BD8	7_2_052A4BD8
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CBE480	10_2_04CBE480
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CBE473	10_2_04CBE473
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CBBBD4	10_2_04CBBBD4
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04D9F5F8	10_2_04D9F5F8
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04D9A610	10_2_04D9A610
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04D99788	10_2_04D99788

Source: cRC31pEDkr.exe, 00000000.00000003.336610706.000000000879D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamempfA.exe: vs cRC31pEDkr.exe
Source: cRC31pEDkr.exe, 00000000.00000000.293953891.0000000000E62000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamempfA.exe: vs cRC31pEDkr.exe
Source: cRC31pEDkr.exe, 00000000.00000002.357794140.0000000007A80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs cRC31pEDkr.exe
Source: cRC31pEDkr.exe, 00000000.00000002.345847320.0000000003251000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTigra.dll. vs cRC31pEDkr.exe
Source: cRC31pEDkr.exe, 00000000.00000002.350028595.000000000436A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs cRC31pEDkr.exe
Source: cRC31pEDkr.exe, 0000000A.00000002.562803290.00000000026D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs cRC31pEDkr.exe
Source: cRC31pEDkr.exe, 0000000A.00000002.566234207.0000000003751000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs cRC31pEDkr.exe
Source: cRC31pEDkr.exe, 0000000A.00000002.566234207.0000000003738000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs cRC31pEDkr.exe
Source: cRC31pEDkr.exe, 0000000A.00000002.567804764.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs cRC31pEDkr.exe
Source: cRC31pEDkr.exe, 0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs cRC31pEDkr.exe
Source: cRC31pEDkr.exe, 0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs cRC31pEDkr.exe
Source: cRC31pEDkr.exe	Binary or memory string: OriginalFilenamempfA.exe: vs cRC31pEDkr.exe

Source: cRC31pEDkr.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: KgZEfacljaFey.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: cRC31pEDkr.exe	ReversingLabs: Detection: 66%
Source: cRC31pEDkr.exe	Virustotal: Detection: 58%

Source: C:\Users\user\Desktop\cRC31pEDkr.exe

File read: C:\Users\user\Desktop\cRC31pEDkr.exe

Jump to behavior

Source: cRC31pEDkr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\cRC31pEDkr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\cRC31pEDkr.exe C:\Users\user\Desktop\cRC31pEDkr.exe
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\cRC31pEDkr.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KgZEfacljaFey" /XML "C:\Users\user\AppData\Local\Temp\tmp5E04.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process created: C:\Users\user\Desktop\cRC31pEDkr.exe C:\Users\user\Desktop\cRC31pEDkr.exe
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process created: C:\Users\user\Desktop\cRC31pEDkr.exe C:\Users\user\Desktop\cRC31pEDkr.exe
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process created: C:\Users\user\Desktop\cRC31pEDkr.exe C:\Users\user\Desktop\cRC31pEDkr.exe
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KgZEfacljaFey" /XML "C:\Users\user\AppData\Local\Temp\tmpAD4D.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process created: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\cRC31pEDkr.exe	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KgZEfacljaFey" /XML "C:\Users\user\AppData\Local\Temp\tmp5E04.tmp	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process created: C:\Users\user\Desktop\cRC31pEDkr.exe C:\Users\user\Desktop\cRC31pEDkr.exe	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process created: C:\Users\user\Desktop\cRC31pEDkr.exe C:\Users\user\Desktop\cRC31pEDkr.exe	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process created: C:\Users\user\Desktop\cRC31pEDkr.exe C:\Users\user\Desktop\cRC31pEDkr.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KgZEfacljaFey" /XML "C:\Users\user\AppData\Local\Temp\tmpAD4D.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process created: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Jump to behavior

Source: C:\Users\user\Desktop\cRC31pEDkr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\cRC31pEDkr.exe

File created: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe

Jump to behavior

Source: C:\Users\user\Desktop\cRC31pEDkr.exe

File created: C:\Users\user\AppData\Local\Temp\tmp5E04.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@22/12@10/2

Source: C:\Users\user\Desktop\cRC31pEDkr.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: cRC31pEDkr.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2056:120:WilError_01
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{e971e6b5-1c8b-4bb4-a1a3-7f94e07616a6}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4592:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4580:120:WilError_01
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Mutant created: \Sessions\1\BaseNamedObjects\RtIYcrDD
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4476:120:WilError_01

Source: 14.2.KgZEfacljaFey.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 14.2.KgZEfacljaFey.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 14.2.KgZEfacljaFey.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\cRC31pEDkr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: cRC31pEDkr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: cRC31pEDkr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: cRC31pEDkr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation

.NET source code contains potential unpacker

Source: cRC31pEDkr.exe, Snake/Form1.cs	.Net Code: InitializeComponent System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: KgZEfacljaFey.exe.0.dr, Snake/Form1.cs	.Net Code: InitializeComponent System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.cRC31pEDkr.exe.e60000.0.unpack, Snake/Form1.cs	.Net Code: InitializeComponent System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.KgZEfacljaFey.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.KgZEfacljaFey.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 0_2_030CD838 pushad ; iretd	0_2_030CD839
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 0_2_030CD83B push esp; iretd	0_2_030CD841
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 0_2_07BF3602 push edi; retf	0_2_07BF3603
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Code function: 7_2_0127CF52 push 8402B5CBh; retf	7_2_0127CF59
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Code function: 7_2_0127D83A push esp; iretd	7_2_0127D841
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Code function: 7_2_0127D838 pushad ; iretd	7_2_0127D839
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Code function: 7_2_052A624F push eax; mov dword ptr [esp], edx	7_2_052A6264
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CBE0F0 push edx; iretd	10_2_04CBE312
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CBE471 push ebx; iretd	10_2_04CBE472
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CBE0D8 push ecx; iretd	10_2_04CBE0E2
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CBE0E3 push ecx; iretd	10_2_04CBE0E6
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CBE0E7 push ecx; iretd	10_2_04CBE0EA
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CBE349 push edx; iretd	10_2_04CBE34A
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CBE36F push edx; iretd	10_2_04CBE372
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CBE373 push edx; iretd	10_2_04CBE37A
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CBEDEF push edi; iretd	10_2_04CBEDF2
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CBEDF3 push edi; iretd	10_2_04CBEDF6
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CBEDF7 push edi; iretd	10_2_04CBEDFA
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CBED89 push esi; iretd	10_2_04CBED8A
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CBEDB9 push esi; iretd	10_2_04CBEDBA
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CB8A61 push ss; iretd	10_2_04CB8A62
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CB8A70 push ss; iretd	10_2_04CB8B82
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CB96C7 push ds; iretd	10_2_04CB96CA
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CB9660 push ds; iretd	10_2_04CB9662
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CBF798 pushad ; iretd	10_2_04CBF79A
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CB93D9 push ds; iretd	10_2_04CB93DA
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CB7A80 push cs; iretd	10_2_04CB7C62
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CB7A71 push cs; iretd	10_2_04CB7A72
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04D90027 push 683C04CFh; iretd	10_2_04D9003A
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04D969F8 pushad ; retf	10_2_04D969F9

Source: cRC31pEDkr.exe

Static PE information: 0xF2C4F3B5 [Sun Jan 25 03:08:37 2099 UTC]

Source: initial sample	Static PE information: section name: .text entropy: 7.818047676595979
Source: initial sample	Static PE information: section name: .text entropy: 7.818047676595979

Source: 14.2.KgZEfacljaFey.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 14.2.KgZEfacljaFey.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\cRC31pEDkr.exe

File created: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\cRC31pEDkr.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KgZEfacljaFey" /XML "C:\Users\user\AppData\Local\Temp\tmp5E04.tmp

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\cRC31pEDkr.exe

File opened: C:\Users\user\Desktop\cRC31pEDkr.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 0.2.cRC31pEDkr.exe.32981e4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.32731c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.KgZEfacljaFey.exe.2c93208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.KgZEfacljaFey.exe.2cb8224.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.388126518.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.388126518.0000000002EED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.345847320.0000000003251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.345847320.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cRC31pEDkr.exe PID: 4064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: KgZEfacljaFey.exe PID: 6040, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: cRC31pEDkr.exe, 00000000.00000002.345847320.0000000003251000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000002.345847320.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, KgZEfacljaFey.exe, 00000007.00000002.388126518.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, KgZEfacljaFey.exe, 00000007.00000002.388126518.0000000002EED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: cRC31pEDkr.exe, 00000000.00000002.345847320.0000000003251000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000002.345847320.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, KgZEfacljaFey.exe, 00000007.00000002.388126518.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, KgZEfacljaFey.exe, 00000007.00000002.388126518.0000000002EED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\cRC31pEDkr.exe TID: 5236	Thread sleep time: -37665s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe TID: 3924	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3584	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2848	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe TID: 6064	Thread sleep time: -37665s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe TID: 1728	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe TID: 3124	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe TID: 860	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9305	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9086	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Window / User API: threadDelayed 9713	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Window / User API: foregroundWindowGot 853	Jump to behavior

Source: C:\Users\user\Desktop\cRC31pEDkr.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Thread delayed: delay time: 37665	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Thread delayed: delay time: 37665	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Thread delayed: delay time: 922337203685477

Source: KgZEfacljaFey.exe, 00000007.00000002.388126518.0000000002EED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: KgZEfacljaFey.exe, 00000007.00000002.388126518.0000000002EED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: cRC31pEDkr.exe, 0000000A.00000002.561292320.0000000000C80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
Source: KgZEfacljaFey.exe, 00000007.00000002.388126518.0000000002EED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: KgZEfacljaFey.exe, 00000007.00000002.388126518.0000000002EED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\cRC31pEDkr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Memory written: C:\Users\user\Desktop\cRC31pEDkr.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Memory written: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe base: 400000 value starts with: 4D5A			Jump to behavior

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\cRC31pEDkr.exe
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\cRC31pEDkr.exe	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Jump to behavior

Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\cRC31pEDkr.exe	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KgZEfacljaFey" /XML "C:\Users\user\AppData\Local\Temp\tmp5E04.tmp	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process created: C:\Users\user\Desktop\cRC31pEDkr.exe C:\Users\user\Desktop\cRC31pEDkr.exe	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process created: C:\Users\user\Desktop\cRC31pEDkr.exe C:\Users\user\Desktop\cRC31pEDkr.exe	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process created: C:\Users\user\Desktop\cRC31pEDkr.exe C:\Users\user\Desktop\cRC31pEDkr.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KgZEfacljaFey" /XML "C:\Users\user\AppData\Local\Temp\tmpAD4D.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process created: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Jump to behavior

Source: cRC31pEDkr.exe, 0000000A.00000002.562803290.0000000002958000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@ %Gp@
Source: cRC31pEDkr.exe, 0000000A.00000002.562803290.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 0000000A.00000002.562803290.00000000029EE000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 0000000A.00000002.562803290.0000000002A5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: cRC31pEDkr.exe, 0000000A.00000002.562803290.0000000002A5E000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 0000000A.00000002.562803290.00000000029F0000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 0000000A.00000002.562803290.0000000002B2A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerp

Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Users\user\Desktop\cRC31pEDkr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Queries volume information: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Users\user\Desktop\cRC31pEDkr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Queries volume information: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\cRC31pEDkr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected zgRAT

Source: Yara match	File source: 0.2.cRC31pEDkr.exe.43d2800.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.436a5c0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.439fde0.3.raw.unpack, type: UNPACKEDPE

Yara detected Nanocore RAT

Source: Yara match	File source: 14.2.KgZEfacljaFey.exe.3b8ff64.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cRC31pEDkr.exe.5a64629.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.KgZEfacljaFey.exe.3b8b12e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.KgZEfacljaFey.exe.3b9458d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.439fde0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.43d2800.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.KgZEfacljaFey.exe.3b8ff64.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cRC31pEDkr.exe.5a60000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cRC31pEDkr.exe.5a60000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.KgZEfacljaFey.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.43d2800.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.436a5c0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.439fde0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.404051124.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.562803290.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.401166525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.350028595.000000000436A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.403629575.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cRC31pEDkr.exe PID: 4064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cRC31pEDkr.exe PID: 1876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: KgZEfacljaFey.exe PID: 5196, type: MEMORYSTR

Remote Access Functionality

Yara detected zgRAT

Source: Yara match	File source: 0.2.cRC31pEDkr.exe.43d2800.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.436a5c0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.439fde0.3.raw.unpack, type: UNPACKEDPE

Detected Nanocore Rat

Source: cRC31pEDkr.exe, 00000000.00000002.350028595.000000000436A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: cRC31pEDkr.exe, 0000000A.00000002.562803290.00000000026D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: cRC31pEDkr.exe, 0000000A.00000002.562803290.00000000026D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: cRC31pEDkr.exe, 0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: cRC31pEDkr.exe, 0000000A.00000002.566234207.000000000371B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: cRC31pEDkr.exe, 0000000A.00000002.566234207.000000000371B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHost
Source: KgZEfacljaFey.exe, 0000000E.00000002.404051124.0000000003B49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: KgZEfacljaFey.exe, 0000000E.00000002.404051124.0000000003B49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: KgZEfacljaFey.exe, 0000000E.00000002.403629575.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: KgZEfacljaFey.exe, 0000000E.00000002.403629575.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: KgZEfacljaFey.exe, 0000000E.00000002.401166525.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Source: Yara match	File source: 14.2.KgZEfacljaFey.exe.3b8ff64.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cRC31pEDkr.exe.5a64629.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.KgZEfacljaFey.exe.3b8b12e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.KgZEfacljaFey.exe.3b9458d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.439fde0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.43d2800.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.KgZEfacljaFey.exe.3b8ff64.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cRC31pEDkr.exe.5a60000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cRC31pEDkr.exe.5a60000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.KgZEfacljaFey.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.43d2800.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.436a5c0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.439fde0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.404051124.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.562803290.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.401166525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.350028595.000000000436A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.403629575.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cRC31pEDkr.exe PID: 4064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cRC31pEDkr.exe PID: 1876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: KgZEfacljaFey.exe PID: 5196, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	112 Process Injection	1 Masquerading	11 Input Capture	21 Security Software Discovery	Remote Services	11 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Remote Access Software	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	112 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	21 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Hidden Files and Directories	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	13 Software Packing	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Timestomp	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
cRC31pEDkr.exe	67%	ReversingLabs	ByteCode-MSIL.Trojan.RedLine
cRC31pEDkr.exe	58%	Virustotal		Browse
cRC31pEDkr.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	67%	ReversingLabs	ByteCode-MSIL.Trojan.RedLine

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
10.2.cRC31pEDkr.exe.5a60000.5.unpack	100%	Avira	TR/NanoCore.fadte		Download File
14.2.KgZEfacljaFey.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7		Download File

Domains

Source	Detection	Scanner	Label	Link
elzy.ddns.net	5%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.fontbureau.comgreta	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fontbureau.com9	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.carterandcone.como.	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.fontbureau.comcomd	0%	URL Reputation	safe
http://www.carterandcone.comX	0%	URL Reputation	safe
http://www.fontbureau.comk:	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/K	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/B	0%	URL Reputation	safe
http://www.fontbureau.come.com	0%	URL Reputation	safe
http://www.sandoll.co.krUN.TTFq	0%	Avira URL Cloud	safe
http://en.w	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/t	0%	URL Reputation	safe
http://www.fontbureau.comals	0%	URL Reputation	safe
http://www.zhongyicts.com.cnF	0%	URL Reputation	safe
http://www.founder.com.cn/cn%	0%	URL Reputation	safe
http://www.fontbureau.comI.TTF	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/B	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/K	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.carterandcone.com/	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.fontbureau.com=	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/pa	0%	Avira URL Cloud	safe
http://www.carterandcone.comUI	0%	Avira URL Cloud	safe
http://www.fontbureau.comdfet	0%	Avira URL Cloud	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com.	0%	URL Reputation	safe
http://www.sandoll.co.krs-c	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cnp	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/s_tr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/Y	0%	URL Reputation	safe
http://www.carterandcone.como.T	0%	Avira URL Cloud	safe
http://www.fontbureau.comF	0%	URL Reputation	safe
http://www.carterandcone.comTC	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/o	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.fontbureau.comd	0%	URL Reputation	safe
http://www.founder.com.cn/cnalg	0%	Avira URL Cloud	safe
http://www.fontbureau.comalicB	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.carterandcone.comorm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0;	0%	Avira URL Cloud	safe
http://www.carterandcone.comiE	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/Y0MSB	0%	Avira URL Cloud	safe
http://www.carterandcone.comgU	0%	Avira URL Cloud	safe
http://www.tiro.com(T	0%	Avira URL Cloud	safe
http://www.fontbureau.comsivdo	0%	Avira URL Cloud	safe
http://www.agfamonotype.:	0%	Avira URL Cloud	safe
http://fontfabrik.com(	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cnai	0%	Avira URL Cloud	safe
http://www.carterandcone.comTCO	0%	Avira URL Cloud	safe
http://fontfabrik.comV	0%	Avira URL Cloud	safe
http://www.fontbureau.comFB	0%	Avira URL Cloud	safe
elzy.ddns.net	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/q	0%	Avira URL Cloud	safe
http://www.fontbureau.comF:	0%	Avira URL Cloud	safe
http://www.sajatypeworks.comb-n	0%	Avira URL Cloud	safe
127.0.0.1	0%	Avira URL Cloud	safe
http://www.fontbureau.comonyo	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com.I	0%	Avira URL Cloud	safe
http://www.fontbureau.comsivr	0%	Avira URL Cloud	safe
http://www.fontbureau.comtur	0%	Avira URL Cloud	safe
http://www.fontbureau.comcomFB	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cn%I	0%	Avira URL Cloud	safe
http://www.fontbureau.comuB	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/H	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
elzy.ddns.net	194.5.98.22	true	true	5%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
elzy.ddns.net	true	Avira URL Cloud: safe	unknown
127.0.0.1	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designers/frere-jones.htmld.	cRC31pEDkr.exe, 00000000.00000003.305229705.00000000061C3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305432351.00000000061C3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305570163.00000000061C3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305615259.00000000061C3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305068245.00000000061C4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305000246.00000000061C3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305285674.00000000061C3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305526668.00000000061C3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305173293.00000000061C3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305483804.00000000061C3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/pa	cRC31pEDkr.exe, 00000000.00000003.298728068.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298967599.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298859286.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298663743.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298929001.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	cRC31pEDkr.exe, 00000000.00000003.304695105.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304762717.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.295924683.0000000006192000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comk:	cRC31pEDkr.exe, 00000000.00000003.306651559.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306765652.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306221985.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306335557.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.307034097.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306899940.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.307202697.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306566595.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.307122475.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306708081.00000000061B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comUI	cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299700076.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299806283.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299958934.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comgreta	cRC31pEDkr.exe, 00000000.00000003.313368578.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313245718.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.312989584.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313086465.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313567844.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313446406.00000000061AF000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.krUN.TTFq	cRC31pEDkr.exe, 00000000.00000003.298180772.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298215222.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com9	cRC31pEDkr.exe, 00000000.00000003.306651559.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305285674.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306012535.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305615259.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306765652.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305740219.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306221985.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305962193.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305830017.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306335557.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305783137.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305570163.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305229705.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305910322.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306141858.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305173293.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306566595.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305068245.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306708081.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305432351.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305703104.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ascendercorp.com/typedesigners.html	cRC31pEDkr.exe, 00000000.00000003.301785059.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301845055.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301752812.00000000061B4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comdfet	cRC31pEDkr.exe, 00000000.00000003.304814982.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305285674.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305000246.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305229705.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304911562.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305173293.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305068245.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304695105.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304762717.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305432351.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305526668.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304864258.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	cRC31pEDkr.exe, 00000000.00000003.299274112.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299398041.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299487627.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299442136.00000000061B9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	cRC31pEDkr.exe, 00000000.00000002.345847320.0000000003251000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000002.345847320.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, KgZEfacljaFey.exe, 00000007.00000002.388126518.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, KgZEfacljaFey.exe, 00000007.00000002.388126518.0000000002EED000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 0000000A.00000002.562803290.00000000026D1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.como.	cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299958934.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com=	cRC31pEDkr.exe, 00000000.00000003.305285674.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305000246.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305229705.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305173293.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305068245.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305432351.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305526668.00000000061B4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.galapagosdesign.com/	cRC31pEDkr.exe, 00000000.00000003.308327351.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.308403894.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.308132703.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.308242645.00000000061B1000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.como.T	cRC31pEDkr.exe, 00000000.00000003.299661403.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299622371.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300300850.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299487627.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300199248.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299442136.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299700076.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299806283.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299958934.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300143320.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comcomd	cRC31pEDkr.exe, 00000000.00000003.305285674.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305615259.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305740219.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305570163.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305229705.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305173293.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305068245.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305432351.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305703104.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305526668.00000000061B4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comX	cRC31pEDkr.exe, 00000000.00000003.300199248.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299806283.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299958934.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300143320.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnalg	cRC31pEDkr.exe, 00000000.00000003.298728068.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298967599.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298859286.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298515941.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299115455.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298663743.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298929001.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/K	cRC31pEDkr.exe, 00000000.00000003.301234096.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301785059.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301578884.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302112307.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301845055.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301752812.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301721227.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301955327.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302191536.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comalicB	cRC31pEDkr.exe, 00000000.00000003.305962193.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305910322.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/B	cRC31pEDkr.exe, 00000000.00000003.301490267.00000000061B0000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301430204.00000000061AF000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.come.com	cRC31pEDkr.exe, 00000000.00000003.313368578.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313245718.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313086465.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313567844.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313446406.00000000061AF000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000002.355271792.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://en.w	cRC31pEDkr.exe, 00000000.00000003.297044710.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296998530.00000000061B7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comiE	cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299958934.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/Y0;	cRC31pEDkr.exe, 00000000.00000003.301578884.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301490267.00000000061B0000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301430204.00000000061AF000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301752812.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301721227.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/	cRC31pEDkr.exe, 00000000.00000003.298215222.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298249561.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298663743.00000000061B2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/Y0MSB	cRC31pEDkr.exe, 00000000.00000003.301234096.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/t	cRC31pEDkr.exe, 00000000.00000003.301578884.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301490267.00000000061B0000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301430204.00000000061AF000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301752812.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301721227.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comgU	cRC31pEDkr.exe, 00000000.00000003.299661403.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299622371.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299487627.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299700076.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299806283.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299958934.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com(T	cRC31pEDkr.exe, 00000000.00000003.299081793.000000000187C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.comsivdo	cRC31pEDkr.exe, 00000000.00000003.306651559.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306765652.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306221985.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306335557.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306141858.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306566595.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306708081.00000000061B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.agfamonotype.:	cRC31pEDkr.exe, 00000000.00000003.312291594.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.312434363.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comals	cRC31pEDkr.exe, 00000000.00000003.305830017.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305910322.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com(	cRC31pEDkr.exe, 00000000.00000003.296893411.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296871633.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296944042.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296795116.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296850779.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296915043.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296828770.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296755309.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296778637.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.zhongyicts.com.cnF	cRC31pEDkr.exe, 00000000.00000003.299661403.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299274112.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299622371.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299398041.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299487627.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299442136.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299700076.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299806283.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299958934.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cnai	cRC31pEDkr.exe, 00000000.00000003.299661403.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299274112.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299622371.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299398041.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299487627.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299442136.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299700076.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299806283.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn%	cRC31pEDkr.exe, 00000000.00000003.298728068.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299661403.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299274112.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299622371.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299398041.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300300850.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298967599.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298859286.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299487627.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298515941.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300199248.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299442136.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299115455.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299194871.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299700076.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299806283.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299958934.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298663743.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298929001.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersG	cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comI.TTF	cRC31pEDkr.exe, 00000000.00000003.306651559.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306012535.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306765652.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305740219.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306221985.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305962193.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305830017.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306335557.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305783137.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305910322.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306141858.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306566595.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306708081.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306063064.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.comV	cRC31pEDkr.exe, 00000000.00000003.296795116.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296778637.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/B	cRC31pEDkr.exe, 00000000.00000003.301785059.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301578884.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302112307.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301845055.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301752812.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301721227.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301955327.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302191536.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersL	cRC31pEDkr.exe, 00000000.00000003.304353505.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/jp/K	cRC31pEDkr.exe, 00000000.00000003.301490267.00000000061B0000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301430204.00000000061AF000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comTCO	cRC31pEDkr.exe, 00000000.00000003.300199248.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300143320.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298929001.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299081793.000000000187C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.com/	cRC31pEDkr.exe, 00000000.00000003.299661403.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299622371.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299398041.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299487627.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299442136.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299700076.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299806283.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comFB	cRC31pEDkr.exe, 00000000.00000003.306141858.00000000061B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr	cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.com	cRC31pEDkr.exe, 00000000.00000003.299661403.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299622371.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299398041.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300300850.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299487627.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300199248.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299442136.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299700076.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299806283.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299958934.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300143320.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.com.	cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299958934.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.krs-c	cRC31pEDkr.exe, 00000000.00000003.298180772.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298129567.00000000061AF000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	cRC31pEDkr.exe, 00000000.00000003.308242645.00000000061B1000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.309287347.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.309054521.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	cRC31pEDkr.exe, 00000000.00000003.296795116.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296850779.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296828770.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296726022.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnp	cRC31pEDkr.exe, 00000000.00000003.298437658.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298492392.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/q	cRC31pEDkr.exe, 00000000.00000003.308132703.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comF:	cRC31pEDkr.exe, 00000000.00000003.313368578.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313245718.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.312989584.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313086465.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313567844.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313446406.00000000061AF000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000002.355271792.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersx	cRC31pEDkr.exe, 00000000.00000003.304597500.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/s_tr	cRC31pEDkr.exe, 00000000.00000003.302453010.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301785059.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302393161.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302254936.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301578884.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302112307.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301490267.00000000061B0000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301845055.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302501034.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301752812.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301721227.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301955327.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302344077.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302191536.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.comb-n	cRC31pEDkr.exe, 00000000.00000003.295924683.0000000006192000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	cRC31pEDkr.exe, 00000000.00000003.298180772.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298129567.00000000061AF000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298291425.00000000061B0000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298215222.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298249561.00000000061B1000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersn	cRC31pEDkr.exe, 00000000.00000003.304353505.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/jp/Y	cRC31pEDkr.exe, 00000000.00000003.304174210.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304255888.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302711504.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302453010.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.303976325.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301785059.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.303455893.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302393161.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302254936.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.303356467.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304105124.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301578884.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302112307.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302841481.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301490267.00000000061B0000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302937899.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301845055.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.303747330.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302501034.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302640559.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.303072404.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comonyo	cRC31pEDkr.exe, 00000000.00000003.304353505.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299194871.00000000061AB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	cRC31pEDkr.exe, 00000000.00000003.306651559.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306012535.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306765652.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304421291.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306221985.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304353505.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304556150.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305962193.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305830017.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306335557.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306899940.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305910322.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306141858.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304597500.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306566595.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304305637.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304506350.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306708081.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306063064.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fontbureau.comF	cRC31pEDkr.exe, 00000000.00000003.304814982.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306651559.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305285674.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306012535.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305615259.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306765652.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305740219.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305000246.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306221985.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305962193.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305830017.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306335557.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305783137.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305570163.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305229705.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306899940.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305910322.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306141858.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304911562.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305173293.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306566595.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comTC	cRC31pEDkr.exe, 00000000.00000003.300143320.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comsivr	cRC31pEDkr.exe, 00000000.00000003.304305637.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com.I	cRC31pEDkr.exe, 00000000.00000003.295924683.0000000006192000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/o	cRC31pEDkr.exe, 00000000.00000003.301785059.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301578884.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302112307.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301845055.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301752812.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301721227.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301955327.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302191536.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comcomFB	cRC31pEDkr.exe, 00000000.00000003.306651559.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306765652.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306221985.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306335557.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306899940.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306566595.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306708081.00000000061B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comtur	cRC31pEDkr.exe, 00000000.00000003.304814982.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305285674.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305615259.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305000246.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305570163.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305229705.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304597500.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304911562.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305173293.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305068245.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304695105.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304762717.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305432351.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305703104.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305526668.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304864258.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/H	cRC31pEDkr.exe, 00000000.00000003.298728068.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299661403.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299274112.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299622371.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299398041.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300300850.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298967599.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298859286.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299487627.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298515941.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300199248.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299442136.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299115455.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299194871.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299700076.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299806283.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299958934.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298663743.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298929001.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	cRC31pEDkr.exe, 00000000.00000003.302191536.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comd	cRC31pEDkr.exe, 00000000.00000003.304814982.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305285674.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305615259.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305740219.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305000246.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304556150.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305570163.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305229705.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304597500.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304911562.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305173293.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305068245.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304695105.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304762717.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305432351.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305703104.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305526668.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304864258.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn%I	cRC31pEDkr.exe, 00000000.00000003.299274112.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designers/cabarga.htmlN	cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	cRC31pEDkr.exe, 00000000.00000003.298437658.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298515941.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298663743.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298492392.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comuB	cRC31pEDkr.exe, 00000000.00000003.313368578.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313245718.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313086465.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313446406.00000000061AF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comorm	cRC31pEDkr.exe, 00000000.00000003.300199248.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300143320.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	cRC31pEDkr.exe, 00000000.00000003.301430204.00000000061AF000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301752812.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301721227.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301955327.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302344077.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302191536.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/	cRC31pEDkr.exe, 00000000.00000003.304305637.00000000061BB000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304305637.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.5.98.22	elzy.ddns.net	Netherlands		208476	DANILENKODE	true

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	800441
Start date and time:	2023-02-07 13:58:11 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	cRC31pEDkr.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@22/12@10/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 94% Number of executed functions: 63 Number of non-executed functions: 7
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe, WmiPrvSE.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:59:13	API Interceptor	784x Sleep call for process: cRC31pEDkr.exe modified
13:59:17	Task Scheduler	Run new task: KgZEfacljaFey path: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe
13:59:18	API Interceptor	55x Sleep call for process: powershell.exe modified
13:59:32	API Interceptor	1x Sleep call for process: KgZEfacljaFey.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
194.5.98.22	Request for Quotation (NEW PRICE LIST 2022).exe	Get hash	malicious	Browse
194.5.98.22	QUOTATION AND SAMPLE LISTPDF.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
elzy.ddns.net	Remittance.exe	Get hash	malicious	Browse	194.147.140.31

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DANILENKODE	gNrfORqjCV.exe	Get hash	malicious	Browse	194.5.98.24
	Scan Copy.exe	Get hash	malicious	Browse	194.5.98.186
	IMAGE119.exe	Get hash	malicious	Browse	194.5.98.12
	dlwat.exe	Get hash	malicious	Browse	194.5.98.202
	FAKTURA D.exe	Get hash	malicious	Browse	194.5.98.210
	Scan Copy.exe	Get hash	malicious	Browse	194.5.98.174
	scan_2023748984785874774.exe	Get hash	malicious	Browse	194.5.98.245
	BookingDetails77#6276.exe	Get hash	malicious	Browse	194.5.98.120
	DOCUMENT839$#789.exe	Get hash	malicious	Browse	194.5.98.120
	9E9C786810231BB2222BE822FBD43E21A02AF06B96C6C.exe	Get hash	malicious	Browse	194.5.98.212
	Fully Executed Contract.js	Get hash	malicious	Browse	194.5.98.71
	PROFORMA INVOICE SCAN DOC.exe	Get hash	malicious	Browse	194.5.98.53
	SIBAIRQ-PD-PUR-926.js	Get hash	malicious	Browse	194.5.98.71
	Payload.exe.exe	Get hash	malicious	Browse	194.5.98.13
	DTQ112.js	Get hash	malicious	Browse	194.5.98.42
	Proforma Invoice 3001855006.js	Get hash	malicious	Browse	194.5.98.42
	EFT20009563_invoice.js	Get hash	malicious	Browse	194.5.98.253
	MDCT091.js	Get hash	malicious	Browse	194.5.98.109
	Inquiry for Quotation No. 20P3200023.exe	Get hash	malicious	Browse	194.5.98.212
	Shipping Doc.pdf.exe	Get hash	malicious	Browse	194.5.98.9

Process:	C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cRC31pEDkr.exe.log

Download File

Process:	C:\Users\user\Desktop\cRC31pEDkr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	21864
Entropy (8bit):	5.598059944466488
Encrypted:	false
SSDEEP:	384:+tCRLq0+3R2EYf3YSVxnejulrItCiJ9g9SJ3uyV1lm0ZSAVrdt8hqA+iRYg:bDgUxeClrSy9cuG3Uqg
MD5:	F0E335C7015467AA88CB725D1E79D3E3
SHA1:	2CB9B862933DC5AF60596D12EDB1F676C4AD9B6F
SHA-256:	C02AE364FCD84F5B4E478CB668B7F578C55E678AF9EE4C30254FB90B30BD0422
SHA-512:	8CE3A87486B215ABCDB564EBC8489E1D88065F7936D5234E6BCC201A1D34C4845D618CBC04F95F40700170A806881486B2E45E2F161188B9FD19831C24F8EB22
Malicious:	false
Preview:	@...e...............................:.X..............@..........H...............<@.^.L."My...:P..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l55gaxga.5bu.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wn1bnogj.r25.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xlbtqxm5.ana.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z0sc0zox.gi0.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\tmp5E04.tmp

Download File

Process:	C:\Users\user\Desktop\cRC31pEDkr.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	5.134330559128222
Encrypted:	false
SSDEEP:	24:2di4+S2qh/a1Kby1moqUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaxvn:cgeCaYrFdOFzOzN33ODOiDdKrsuTuv
MD5:	B60F588C1155AF27B4F7C47D9BA68B63
SHA1:	060A5DB198839D2D4D33E2DA93540D3BD1851042
SHA-256:	4467302D8DE2891402E2EC25B9824333F433D46A306D120E32D93BE4F216C492
SHA-512:	89527F28ED63991D6B1C0D18FDA21F9CF77E0CAB8EEA228359B9781C57FCE2D5EDACDBE5F26C5EB39DEE9C9B0384BD9C89628991D6A5C53B4C87B426410FD537
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Local\Temp\tmpAD4D.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	5.134330559128222
Encrypted:	false
SSDEEP:	24:2di4+S2qh/a1Kby1moqUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaxvn:cgeCaYrFdOFzOzN33ODOiDdKrsuTuv
MD5:	B60F588C1155AF27B4F7C47D9BA68B63
SHA1:	060A5DB198839D2D4D33E2DA93540D3BD1851042
SHA-256:	4467302D8DE2891402E2EC25B9824333F433D46A306D120E32D93BE4F216C492
SHA-512:	89527F28ED63991D6B1C0D18FDA21F9CF77E0CAB8EEA228359B9781C57FCE2D5EDACDBE5F26C5EB39DEE9C9B0384BD9C89628991D6A5C53B4C87B426410FD537
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Download File

Process:	C:\Users\user\Desktop\cRC31pEDkr.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:CS:P
MD5:	76420758AE4C29CAAD2AA6B116E41716
SHA1:	59893B920B4F94B033959DA9C02E6156E8DD98DF
SHA-256:	136D683384EA664828711F6043304C6D2A1E89C3F8DAD346F6007FF13DD5F45D
SHA-512:	892DCB7634396D212CFA50CCA7610683BC01B83743131BE2F700912617F563498EBE2F0450DD59CF46448A298DB2A37C68394DEFF8A00D5480CD68F6A509FB64
Malicious:	true
Preview:	of.V..H

C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe

Download File

Process:	C:\Users\user\Desktop\cRC31pEDkr.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	705536
Entropy (8bit):	7.810105998338931
Encrypted:	false
SSDEEP:	12288:VVC66Bm2iNNHOp7HPfubIVc1E0cE3UyV5sXoDCnJ8OSTaHlUI1FuH66B:GVM1rut21E0cEkI24D6PSuHlvuHV
MD5:	AC2609D2181F756550E3C180329B121C
SHA1:	2AC2462013BE76E3BB606C7DEAEC5E0E4609CD59
SHA-256:	9730AEE1D4D04BB12E1DF2A5550741EED7266625F8D99443DD0CD0DFFCA07112
SHA-512:	EE9DC08DD3E713FFE4A7FB658A37E8C689A5CDAC7E1CFA6FB3A26A048663FF70B524C49FCEF3B0C033D4DD2EFBE290E2DC62BE74145C461D1E711356C826CDA2
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 67%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................... ............@.....................................O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........f...w...........................................................0............}......}.....(.......(........}.......s....}..... .... ....s....}......{......s....}.....{....r...po......(.....{....o......{......o......{....o..........s....s....}.....(......(.....{....o.....*....0.............{.....X}.....{.....].....,-..{....(....o......{....o....(....o.....8......{....( ...o......{....o....( ...o.......(......{....,..{.......+....,..(.....{......s....o........{....o!..

C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\cRC31pEDkr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.810105998338931
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	cRC31pEDkr.exe
File size:	705536
MD5:	ac2609d2181f756550e3c180329b121c
SHA1:	2ac2462013be76e3bb606c7deaec5e0e4609cd59
SHA256:	9730aee1d4d04bb12e1df2a5550741eed7266625f8d99443dd0cd0dffca07112
SHA512:	ee9dc08dd3e713ffe4a7fb658a37e8c689a5cdac7e1cfa6fb3a26a048663ff70b524c49fcef3b0c033d4dd2efbe290e2dc62be74145c461d1e711356c826cda2
SSDEEP:	12288:VVC66Bm2iNNHOp7HPfubIVc1E0cE3UyV5sXoDCnJ8OSTaHlUI1FuH66B:GVM1rut21E0cEkI24D6PSuHlvuHV
TLSH:	39E401811D64CA58E2F90EBD0F7C5A2D8FF45C9923E3E2B40BE6B4D9A463783C815536
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x4ad902
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xF2C4F3B5 [Sun Jan 25 03:08:37 2099 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xad8b0	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xae000	0x5bc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xad894	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xab908	0xaba00	False	0.8738022350691915	data	7.818047676595979	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xae000	0x5bc	0x600	False	0.4283854166666667	data	4.10376699366461	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb0000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xae090	0x32c	data
RT_MANIFEST	0xae3cc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 7, 2023 13:59:31.713982105 CET	49701	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 13:59:31.757090092 CET	2000	49701	194.5.98.22	192.168.2.5
Feb 7, 2023 13:59:32.392255068 CET	49701	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 13:59:32.435534000 CET	2000	49701	194.5.98.22	192.168.2.5
Feb 7, 2023 13:59:33.001553059 CET	49701	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 13:59:33.044615030 CET	2000	49701	194.5.98.22	192.168.2.5
Feb 7, 2023 13:59:37.180790901 CET	49702	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 13:59:37.223854065 CET	2000	49702	194.5.98.22	192.168.2.5
Feb 7, 2023 13:59:37.845783949 CET	49702	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 13:59:37.888947010 CET	2000	49702	194.5.98.22	192.168.2.5
Feb 7, 2023 13:59:38.549042940 CET	49702	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 13:59:38.592144012 CET	2000	49702	194.5.98.22	192.168.2.5
Feb 7, 2023 13:59:42.792201996 CET	49703	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 13:59:42.835329056 CET	2000	49703	194.5.98.22	192.168.2.5
Feb 7, 2023 13:59:43.346213102 CET	49703	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 13:59:43.389285088 CET	2000	49703	194.5.98.22	192.168.2.5
Feb 7, 2023 13:59:44.049402952 CET	49703	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 13:59:44.092649937 CET	2000	49703	194.5.98.22	192.168.2.5
Feb 7, 2023 14:00:04.116805077 CET	49710	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 14:00:04.159924030 CET	2000	49710	194.5.98.22	192.168.2.5
Feb 7, 2023 14:00:04.660533905 CET	49710	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 14:00:04.703702927 CET	2000	49710	194.5.98.22	192.168.2.5
Feb 7, 2023 14:00:05.207479000 CET	49710	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 14:00:05.250614882 CET	2000	49710	194.5.98.22	192.168.2.5
Feb 7, 2023 14:00:09.301789045 CET	49712	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 14:00:09.344774961 CET	2000	49712	194.5.98.22	192.168.2.5
Feb 7, 2023 14:00:09.848398924 CET	49712	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 14:00:09.891593933 CET	2000	49712	194.5.98.22	192.168.2.5
Feb 7, 2023 14:00:10.395400047 CET	49712	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 14:00:10.438546896 CET	2000	49712	194.5.98.22	192.168.2.5
Feb 7, 2023 14:00:14.486471891 CET	49713	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 14:00:14.530375004 CET	2000	49713	194.5.98.22	192.168.2.5
Feb 7, 2023 14:00:15.036335945 CET	49713	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 14:00:15.081300020 CET	2000	49713	194.5.98.22	192.168.2.5
Feb 7, 2023 14:00:15.583241940 CET	49713	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 14:00:15.626451015 CET	2000	49713	194.5.98.22	192.168.2.5
Feb 7, 2023 14:00:35.702507973 CET	49718	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 14:00:35.745628119 CET	2000	49718	194.5.98.22	192.168.2.5
Feb 7, 2023 14:00:36.256872892 CET	49718	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 14:00:36.300020933 CET	2000	49718	194.5.98.22	192.168.2.5
Feb 7, 2023 14:00:36.803818941 CET	49718	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 14:00:36.846869946 CET	2000	49718	194.5.98.22	192.168.2.5
Feb 7, 2023 14:00:41.506460905 CET	49719	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 14:00:41.549746990 CET	2000	49719	194.5.98.22	192.168.2.5
Feb 7, 2023 14:00:42.054270983 CET	49719	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 14:00:42.097364902 CET	2000	49719	194.5.98.22	192.168.2.5
Feb 7, 2023 14:00:42.663737059 CET	49719	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 14:00:42.708404064 CET	2000	49719	194.5.98.22	192.168.2.5
Feb 7, 2023 14:00:46.919289112 CET	49721	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 14:00:46.962531090 CET	2000	49721	194.5.98.22	192.168.2.5
Feb 7, 2023 14:00:47.476569891 CET	49721	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 14:00:47.519581079 CET	2000	49721	194.5.98.22	192.168.2.5
Feb 7, 2023 14:00:48.023495913 CET	49721	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 14:00:48.066632986 CET	2000	49721	194.5.98.22	192.168.2.5
Feb 7, 2023 14:01:07.652275085 CET	49726	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 14:01:07.695615053 CET	2000	49726	194.5.98.22	192.168.2.5
Feb 7, 2023 14:01:08.207467079 CET	49726	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 14:01:08.250525951 CET	2000	49726	194.5.98.22	192.168.2.5
Feb 7, 2023 14:01:08.762331963 CET	49726	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 14:01:08.805807114 CET	2000	49726	194.5.98.22	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 7, 2023 13:59:31.679389000 CET	61893	53	192.168.2.5	8.8.8.8
Feb 7, 2023 13:59:31.699139118 CET	53	61893	8.8.8.8	192.168.2.5
Feb 7, 2023 13:59:37.159048080 CET	60649	53	192.168.2.5	8.8.8.8
Feb 7, 2023 13:59:37.179442883 CET	53	60649	8.8.8.8	192.168.2.5
Feb 7, 2023 13:59:42.715939045 CET	51441	53	192.168.2.5	8.8.8.8
Feb 7, 2023 13:59:42.735929966 CET	53	51441	8.8.8.8	192.168.2.5
Feb 7, 2023 14:00:04.092628002 CET	65323	53	192.168.2.5	8.8.8.8
Feb 7, 2023 14:00:04.113540888 CET	53	65323	8.8.8.8	192.168.2.5
Feb 7, 2023 14:00:09.282095909 CET	63446	53	192.168.2.5	8.8.8.8
Feb 7, 2023 14:00:09.300489902 CET	53	63446	8.8.8.8	192.168.2.5
Feb 7, 2023 14:00:14.467171907 CET	56751	53	192.168.2.5	8.8.8.8
Feb 7, 2023 14:00:14.485213041 CET	53	56751	8.8.8.8	192.168.2.5
Feb 7, 2023 14:00:35.679114103 CET	60975	53	192.168.2.5	8.8.8.8
Feb 7, 2023 14:00:35.700711012 CET	53	60975	8.8.8.8	192.168.2.5
Feb 7, 2023 14:00:41.407455921 CET	59220	53	192.168.2.5	8.8.8.8
Feb 7, 2023 14:00:41.429548979 CET	53	59220	8.8.8.8	192.168.2.5
Feb 7, 2023 14:00:46.845959902 CET	56682	53	192.168.2.5	8.8.8.8
Feb 7, 2023 14:00:46.865693092 CET	53	56682	8.8.8.8	192.168.2.5
Feb 7, 2023 14:01:07.633317947 CET	62659	53	192.168.2.5	8.8.8.8
Feb 7, 2023 14:01:07.651314974 CET	53	62659	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 7, 2023 13:59:31.679389000 CET	192.168.2.5	8.8.8.8	0xb8e1	Standard query (0)	elzy.ddns.net	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:59:37.159048080 CET	192.168.2.5	8.8.8.8	0xc0cd	Standard query (0)	elzy.ddns.net	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:59:42.715939045 CET	192.168.2.5	8.8.8.8	0xc75e	Standard query (0)	elzy.ddns.net	A (IP address)	IN (0x0001)	false
Feb 7, 2023 14:00:04.092628002 CET	192.168.2.5	8.8.8.8	0x1f49	Standard query (0)	elzy.ddns.net	A (IP address)	IN (0x0001)	false
Feb 7, 2023 14:00:09.282095909 CET	192.168.2.5	8.8.8.8	0x26db	Standard query (0)	elzy.ddns.net	A (IP address)	IN (0x0001)	false
Feb 7, 2023 14:00:14.467171907 CET	192.168.2.5	8.8.8.8	0x8558	Standard query (0)	elzy.ddns.net	A (IP address)	IN (0x0001)	false
Feb 7, 2023 14:00:35.679114103 CET	192.168.2.5	8.8.8.8	0xdfdc	Standard query (0)	elzy.ddns.net	A (IP address)	IN (0x0001)	false
Feb 7, 2023 14:00:41.407455921 CET	192.168.2.5	8.8.8.8	0x1d80	Standard query (0)	elzy.ddns.net	A (IP address)	IN (0x0001)	false
Feb 7, 2023 14:00:46.845959902 CET	192.168.2.5	8.8.8.8	0x7a18	Standard query (0)	elzy.ddns.net	A (IP address)	IN (0x0001)	false
Feb 7, 2023 14:01:07.633317947 CET	192.168.2.5	8.8.8.8	0xd446	Standard query (0)	elzy.ddns.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Feb 7, 2023 13:59:31.699139118 CET	8.8.8.8	192.168.2.5	0xb8e1	No error (0)	elzy.ddns.net	194.5.98.22	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:59:37.179442883 CET	8.8.8.8	192.168.2.5	0xc0cd	No error (0)	elzy.ddns.net	194.5.98.22	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:59:42.735929966 CET	8.8.8.8	192.168.2.5	0xc75e	No error (0)	elzy.ddns.net	194.5.98.22	A (IP address)	IN (0x0001)	false
Feb 7, 2023 14:00:04.113540888 CET	8.8.8.8	192.168.2.5	0x1f49	No error (0)	elzy.ddns.net	194.5.98.22	A (IP address)	IN (0x0001)	false
Feb 7, 2023 14:00:09.300489902 CET	8.8.8.8	192.168.2.5	0x26db	No error (0)	elzy.ddns.net	194.5.98.22	A (IP address)	IN (0x0001)	false
Feb 7, 2023 14:00:14.485213041 CET	8.8.8.8	192.168.2.5	0x8558	No error (0)	elzy.ddns.net	194.5.98.22	A (IP address)	IN (0x0001)	false
Feb 7, 2023 14:00:35.700711012 CET	8.8.8.8	192.168.2.5	0xdfdc	No error (0)	elzy.ddns.net	194.5.98.22	A (IP address)	IN (0x0001)	false
Feb 7, 2023 14:00:41.429548979 CET	8.8.8.8	192.168.2.5	0x1d80	No error (0)	elzy.ddns.net	194.5.98.22	A (IP address)	IN (0x0001)	false
Feb 7, 2023 14:00:46.865693092 CET	8.8.8.8	192.168.2.5	0x7a18	No error (0)	elzy.ddns.net	194.5.98.22	A (IP address)	IN (0x0001)	false
Feb 7, 2023 14:01:07.651314974 CET	8.8.8.8	192.168.2.5	0xd446	No error (0)	elzy.ddns.net	194.5.98.22	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	13:59:04
Start date:	07/02/2023
Path:	C:\Users\user\Desktop\cRC31pEDkr.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\cRC31pEDkr.exe
Imagebase:	0xe60000
File size:	705536 bytes
MD5 hash:	AC2609D2181F756550E3C180329B121C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.350028595.000000000436A000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.350028595.000000000436A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.350028595.000000000436A000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.350028595.000000000436A000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.345847320.0000000003251000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.345847320.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	13:59:15
Start date:	07/02/2023
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\cRC31pEDkr.exe
Imagebase:	0xe80000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Target ID:	2
Start time:	13:59:15
Start date:	07/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	3
Start time:	13:59:15
Start date:	07/02/2023
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe
Imagebase:	0xe80000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Target ID:	4
Start time:	13:59:15
Start date:	07/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	5
Start time:	13:59:15
Start date:	07/02/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KgZEfacljaFey" /XML "C:\Users\user\AppData\Local\Temp\tmp5E04.tmp
Imagebase:	0x820000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	6
Start time:	13:59:15
Start date:	07/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	7
Start time:	13:59:17
Start date:	07/02/2023
Path:	C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe
Imagebase:	0x7ff7fcd70000
File size:	705536 bytes
MD5 hash:	AC2609D2181F756550E3C180329B121C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000007.00000002.388126518.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000007.00000002.388126518.0000000002EED000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 67%, ReversingLabs
Reputation:	low

Show Windows behavior

Target ID:	8
Start time:	13:59:24
Start date:	07/02/2023
Path:	C:\Users\user\Desktop\cRC31pEDkr.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\cRC31pEDkr.exe
Imagebase:	0x1a0000
File size:	705536 bytes
MD5 hash:	AC2609D2181F756550E3C180329B121C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Target ID:	9
Start time:	13:59:24
Start date:	07/02/2023
Path:	C:\Users\user\Desktop\cRC31pEDkr.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\cRC31pEDkr.exe
Imagebase:	0x2b0000
File size:	705536 bytes
MD5 hash:	AC2609D2181F756550E3C180329B121C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Target ID:	10
Start time:	13:59:24
Start date:	07/02/2023
Path:	C:\Users\user\Desktop\cRC31pEDkr.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\cRC31pEDkr.exe
Imagebase:	0x450000
File size:	705536 bytes
MD5 hash:	AC2609D2181F756550E3C180329B121C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.562803290.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000A.00000002.562803290.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.567364411.0000000005290000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.567364411.0000000005290000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000A.00000002.567364411.0000000005290000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000A.00000002.567364411.0000000005290000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000A.00000002.566234207.000000000371B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Target ID:	12
Start time:	13:59:36
Start date:	07/02/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KgZEfacljaFey" /XML "C:\Users\user\AppData\Local\Temp\tmpAD4D.tmp
Imagebase:	0x820000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	13
Start time:	13:59:36
Start date:	07/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	14
Start time:	13:59:43
Start date:	07/02/2023
Path:	C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe
Imagebase:	0x750000
File size:	705536 bytes
MD5 hash:	AC2609D2181F756550E3C180329B121C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.404051124.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.404051124.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000E.00000002.404051124.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.401166525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.401166525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.401166525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000E.00000002.401166525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.403629575.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.403629575.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000E.00000002.403629575.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, Author: unknown

Show Windows behavior

Execution Graph

Execution Coverage:	11.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	156
Total number of Limit Nodes:	15

Executed Functions

Function 030CBD40 Relevance: 6.1, APIs: 4, Instructions: 130
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 030CBDB0
GetCurrentThread.KERNEL32 ref: 030CBDED
GetCurrentProcess.KERNEL32 ref: 030CBE2A
GetCurrentThreadId.KERNEL32 ref: 030CBE83

Memory Dump Source

Source File: 00000000.00000002.345509747.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_30c0000_cRC31pEDkr.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 94cf8c8b3d26a3195287839205c660fac7faad8e24b8b30cf47ac49c050f151b
Instruction ID: 0f61617f34142c261ca75a7057d61e4f1c792d33ff23fdfd150378affeb166d8
Opcode Fuzzy Hash: 94cf8c8b3d26a3195287839205c660fac7faad8e24b8b30cf47ac49c050f151b
Instruction Fuzzy Hash: EE5144B09117498FDB54CFAAD589BDEBFF1EF48300F24846AE409A7260D7745884CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 030CBD50 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 030CBDB0
GetCurrentThread.KERNEL32 ref: 030CBDED
GetCurrentProcess.KERNEL32 ref: 030CBE2A
GetCurrentThreadId.KERNEL32 ref: 030CBE83

Memory Dump Source

Source File: 00000000.00000002.345509747.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_30c0000_cRC31pEDkr.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: fd344fd7f5a0243043724d1fa8aeb486126185afc67ee386e965dce8d27a0e81
Instruction ID: ef60eb7f741ce8aaded59c086e54f2d49ccd781f714fc50c01a4b6229cde47d9
Opcode Fuzzy Hash: fd344fd7f5a0243043724d1fa8aeb486126185afc67ee386e965dce8d27a0e81
Instruction Fuzzy Hash: 525143B0D116498FDB14CFAAD589BDEBFF1BF88304F248469E409A7250D7749884CB69

Uniqueness

Uniqueness Score: -1.00%

Function 07BF7FE8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 07BF821E

Memory Dump Source

Source File: 00000000.00000002.358828735.0000000007BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7bf0000_cRC31pEDkr.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e55459d583cc12d93b3b5f16a7a3e7206ef362c1fb282d78abd5dbc3cfed22b0
Instruction ID: a3c6a3baab9f48f9772eeb3876c8eec45004ed8a012fe09dc49ccd2ea3ced3c7
Opcode Fuzzy Hash: e55459d583cc12d93b3b5f16a7a3e7206ef362c1fb282d78abd5dbc3cfed22b0
Instruction Fuzzy Hash: 90914AB1D00619CFEB10DFA8C8817DEBBB2FF48714F1485A9E909A7250DB749989CF91

Uniqueness

Uniqueness Score: -1.00%

Function 030C9A50 Relevance: 1.7, APIs: 1, Instructions: 192
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 030C9C96

Memory Dump Source

Source File: 00000000.00000002.345509747.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_30c0000_cRC31pEDkr.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 2069b43d2fafb8b1d02ea7d2b67aac1f3f3478e981d98f7d0ce5dd3851599650
Instruction ID: 38aa66f28cb96218e4592d32699abb15ce711b9677b2f6590565f9b524c43190
Opcode Fuzzy Hash: 2069b43d2fafb8b1d02ea7d2b67aac1f3f3478e981d98f7d0ce5dd3851599650
Instruction Fuzzy Hash: C47146B0A11B459FDB64CF6AC15079ABBF5BF88300F14892ED48ADBA50D734E806CF91

Uniqueness

Uniqueness Score: -1.00%

Function 030C5367 Relevance: 1.6, APIs: 1, Instructions: 127
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 030C5421

Memory Dump Source

Source File: 00000000.00000002.345509747.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_30c0000_cRC31pEDkr.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c5f7c79d71bb348948abeb70f9c2fbe2e6450d5540259c6de0ef2b23d1547f79
Instruction ID: 72eab5c1ccf021288bb0e4a30c915db9625785610539bfb0c7867a144c8a1db0
Opcode Fuzzy Hash: c5f7c79d71bb348948abeb70f9c2fbe2e6450d5540259c6de0ef2b23d1547f79
Instruction Fuzzy Hash: 165113B1C10658CFDB10CFAAC8847CEBBF5BF49314F2480AAD409AB251D7746985DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 030C3DE8 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 030C5421

Memory Dump Source

Source File: 00000000.00000002.345509747.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_30c0000_cRC31pEDkr.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 3647283649f828bf5fa6ff046d1cfc4400db41f5b88a9f0c615d47fe0a157e18
Instruction ID: ce14369409093ce3ab07d82b655445724340c381e667da1064a61f16b9116f30
Opcode Fuzzy Hash: 3647283649f828bf5fa6ff046d1cfc4400db41f5b88a9f0c615d47fe0a157e18
Instruction Fuzzy Hash: 434102B0C1161CCFDB24DFAAC884BCEBBB5BF49304F20806AD409AB251D7B56946DF94

Uniqueness

Uniqueness Score: -1.00%

Function 07BF7CD0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 07BF7D60

Memory Dump Source

Source File: 00000000.00000002.358828735.0000000007BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7bf0000_cRC31pEDkr.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 408a5ba8d1a3d3d03f0f60863648ef96c6a9bbc376b8a4e05374daaf72be466e
Instruction ID: 487f3efeb42ead97c82f4fdf3be1a0a59c3232e2f1699eb333a018c96033b30f
Opcode Fuzzy Hash: 408a5ba8d1a3d3d03f0f60863648ef96c6a9bbc376b8a4e05374daaf72be466e
Instruction Fuzzy Hash: 6D212AB59003599FDF10CFAAC8847EEBBF5FF48310F50842AE919A7240C7789944DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 030CBF70 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 030CBFFF

Memory Dump Source

Source File: 00000000.00000002.345509747.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_30c0000_cRC31pEDkr.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fefa36c1223cb2fbda273f4f90133151b019e97202a58862b689a356139a2b43
Instruction ID: 5c20964ba43f07be3e99b8b41023fec2de1420b310ca091fb71b83eb82dc3671
Opcode Fuzzy Hash: fefa36c1223cb2fbda273f4f90133151b019e97202a58862b689a356139a2b43
Instruction Fuzzy Hash: 8C2103B5D01248AFDB10CFAAD984ADEFBF8EB48320F14845AE815B7310D374A940DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07BF7DF0 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 07BF7E70

Memory Dump Source

Source File: 00000000.00000002.358828735.0000000007BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7bf0000_cRC31pEDkr.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d46d052814295d0ee65317f0204ae4781d5a4a8acd0727fd96ab9e4fe46cf1cf
Instruction ID: b8c367535425288a805e0a067d37de8723b5659491cf84adee6cdd2283519ca5
Opcode Fuzzy Hash: d46d052814295d0ee65317f0204ae4781d5a4a8acd0727fd96ab9e4fe46cf1cf
Instruction Fuzzy Hash: 002137B1D003599FDB10DFAAC880BEEBBF5FF48310F50842AE519A7250C7799A45DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 07BF7A48 Relevance: 1.6, APIs: 1, Instructions: 63
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNEL32(?,00000000), ref: 07BF7AC6

Memory Dump Source

Source File: 00000000.00000002.358828735.0000000007BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7bf0000_cRC31pEDkr.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 81356821dee5b0816affab4ee84100a5ddb9d06d2adb18be7513a1652ac9bc81
Instruction ID: 8b5d94508af7d02a7a103ef45268d7f1def5c3fed88defa3e9fd6f46e15be367
Opcode Fuzzy Hash: 81356821dee5b0816affab4ee84100a5ddb9d06d2adb18be7513a1652ac9bc81
Instruction Fuzzy Hash: A82118B1D003099FDB10DFAAC8847EEBBF4EF48714F54846AD519A7240CB78AA45CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 030CBF78 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 030CBFFF

Memory Dump Source

Source File: 00000000.00000002.345509747.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_30c0000_cRC31pEDkr.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d58e265bd40dfaff997a33e1c687ec5236c042d918ba12fd99ddfc3bfcdaaefc
Instruction ID: 9efd83cf8fd9e8b655dd97316d69b1febcbc386c133dc162d219c0fc570916ef
Opcode Fuzzy Hash: d58e265bd40dfaff997a33e1c687ec5236c042d918ba12fd99ddfc3bfcdaaefc
Instruction Fuzzy Hash: DE21E2B59002489FDB10CFAAD984ADEFBF8EB48324F14841AE919A7310D374A944DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 030C8FC0 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,030C9D11,00000800,00000000,00000000), ref: 030C9F22

Memory Dump Source

Source File: 00000000.00000002.345509747.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_30c0000_cRC31pEDkr.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 43a154f5e275d7e528bd2ef243def649f5930bbb50c68efca409d675b13bf84e
Instruction ID: 0cf3fcf4fbd78fcfeda4adee4bdd3aa5b9ddb30e544e3a2d5ff58c79be48ff11
Opcode Fuzzy Hash: 43a154f5e275d7e528bd2ef243def649f5930bbb50c68efca409d675b13bf84e
Instruction Fuzzy Hash: AD1126B2D102498FCB10CF9AD484BDEFBF4EB98314F14842EE815A7200C3B4A545CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 030C9EB3 Relevance: 1.6, APIs: 1, Instructions: 53
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,030C9D11,00000800,00000000,00000000), ref: 030C9F22

Memory Dump Source

Source File: 00000000.00000002.345509747.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_30c0000_cRC31pEDkr.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0d3a7d49f2a1a69618254d8afcc4fc567371fa7deb4980698174956ff93ca400
Instruction ID: e5da8265d7ce6299d9bc1d7cd46d224aeb7f2098ffc35370660bb704192a5acd
Opcode Fuzzy Hash: 0d3a7d49f2a1a69618254d8afcc4fc567371fa7deb4980698174956ff93ca400
Instruction Fuzzy Hash: A61123B2D002498FCB10CF9AC884BDEFBF4EB88320F14842EE415A7200C378A545CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 07BF7BE0 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 07BF7C4E

Memory Dump Source

Source File: 00000000.00000002.358828735.0000000007BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7bf0000_cRC31pEDkr.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ebb70de3738dca1d0a6cc0b8c4168e72044b6cfe47b623680f2328d4916bdd3f
Instruction ID: cc0cc7fe180077e0dea4f49c63ae1919710b7bf9fdf18ebe9feb529ef8a0bfed
Opcode Fuzzy Hash: ebb70de3738dca1d0a6cc0b8c4168e72044b6cfe47b623680f2328d4916bdd3f
Instruction Fuzzy Hash: E31137B29002499FDB10DFAAC8447DFBFF5EF48720F148819E519A7250CB75AA44DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 07BF7968 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 07BF79CA

Memory Dump Source

Source File: 00000000.00000002.358828735.0000000007BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7bf0000_cRC31pEDkr.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b98390753497dd8767506856f69dcf6082bbdddc7c9a8620cfae24d16fbeb4d4
Instruction ID: 800febba64b618ba600a8007fea7cc2979e2bddf2690927dbac951a8f58c8ced
Opcode Fuzzy Hash: b98390753497dd8767506856f69dcf6082bbdddc7c9a8620cfae24d16fbeb4d4
Instruction Fuzzy Hash: 7B110AB1D003498FDB10DFAAC8457EEFBF5EF88724F148869D515A7240CB75A944CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 030C9C30 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 030C9C96

Memory Dump Source

Source File: 00000000.00000002.345509747.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_30c0000_cRC31pEDkr.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 062be7085c27784c33b78fb85fc109f2508b1793852ff0afbc9d9ef64fdf46b8
Instruction ID: cde66aa0c0fc01d7f337020a438ad323fc76e14d38e9be3e2580188c35e2c985
Opcode Fuzzy Hash: 062be7085c27784c33b78fb85fc109f2508b1793852ff0afbc9d9ef64fdf46b8
Instruction Fuzzy Hash: 981110B2C002498FCB10CF9AC584BDEFBF4AF89324F14846AD419B7610C374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07ED8378 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 07ED83D5

Memory Dump Source

Source File: 00000000.00000002.359089388.0000000007ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ed0000_cRC31pEDkr.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 8544c604a0335aea90cbd0f7671c163df22b259e190884a2894803a5ad1d2143
Instruction ID: 9c3cc348721803b8ae7e4f799dd79e3e5f988f5a07d1ae6f9295a1079c025ce0
Opcode Fuzzy Hash: 8544c604a0335aea90cbd0f7671c163df22b259e190884a2894803a5ad1d2143
Instruction Fuzzy Hash: 7011E8B58003499FDB10CF9AC984BDFFBF8EB48324F108519E555A7600C374A985CFA5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 07ED0040 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

d, xrefs: 07ED30B3

Memory Dump Source

Source File: 00000000.00000002.359089388.0000000007ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ed0000_cRC31pEDkr.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 20fbd1150b7f7b51e361acfda38776ed12948d749056ecf4faace24bb16d37a4
Instruction ID: c3e58dc8631181dec793a0abf60246e7f9bc71e9036da92d82380770c571a7bc
Opcode Fuzzy Hash: 20fbd1150b7f7b51e361acfda38776ed12948d749056ecf4faace24bb16d37a4
Instruction Fuzzy Hash: 4A4143B1D01A58CFE758CF6B8C4479AFAF7AFC9201F14D1B9840CAA255EB304986CF11

Uniqueness

Uniqueness Score: -1.00%

Function 030CE830 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345509747.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_30c0000_cRC31pEDkr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5a118c61477d27e6e1b756280b6cfe1e6c7f19389617bda0b1ee05309dd8589
Instruction ID: 73bc413ae0f16a72ca94664c4d26dd99b14c80763822675493b300583f2a4c38
Opcode Fuzzy Hash: d5a118c61477d27e6e1b756280b6cfe1e6c7f19389617bda0b1ee05309dd8589
Instruction Fuzzy Hash: 9812E9F1411746CBD318EF65E8981893BA3F74AB28F906308D1612F6D9D7B811CAEF64

Uniqueness

Uniqueness Score: -1.00%

Function 030CC77C Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345509747.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_30c0000_cRC31pEDkr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 185df9e06d64cc5d9f41644ecbccebb2ffcd9a3623c41e58633a25fad704206c
Instruction ID: fd0f1333a262e0238f4a564f4d20249dde7dabb25d77d46132dc11107412f5a0
Opcode Fuzzy Hash: 185df9e06d64cc5d9f41644ecbccebb2ffcd9a3623c41e58633a25fad704206c
Instruction Fuzzy Hash: C4A17F36E112598FCF05DFA5C8445DEBBF2FFC9301B15856AE805BB260EB31A946CB80

Uniqueness

Uniqueness Score: -1.00%

Function 030CE823 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.345509747.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_30c0000_cRC31pEDkr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83cf7c90a305d886d425c657bb007b55490da74d28e881e1fb36f1f7bffb42fc
Instruction ID: f4d9419c418fbc21c0f0b7b0080700ffd19a8b498f2618aeaa9e41c3e3d36b3d
Opcode Fuzzy Hash: 83cf7c90a305d886d425c657bb007b55490da74d28e881e1fb36f1f7bffb42fc
Instruction Fuzzy Hash: 56C14DB1411746CBD718EF65E8881897BB3FB8AB24F505308D1616B6D8D7B810CAEFA4

Uniqueness

Uniqueness Score: -1.00%

Function 07BF0006 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.358828735.0000000007BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7bf0000_cRC31pEDkr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 226c335d31b2387cfc5056ec35204243691d1e545c92066342477684fdfb6276
Instruction ID: ee7cc65767dc32a4755eea8f0b223dc077dc94ef9c26d6691d934ec0199f1a0f
Opcode Fuzzy Hash: 226c335d31b2387cfc5056ec35204243691d1e545c92066342477684fdfb6276
Instruction Fuzzy Hash: 994160B1D05A588FE71DCF6B8C4068AFBF3AFC5200F18C1BBD458AA265EB3409468F11

Uniqueness

Uniqueness Score: -1.00%

Function 07ED0006 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.359089388.0000000007ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ed0000_cRC31pEDkr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4dffbf3ed5944fa9fdb0474198cf2cc9dcdebd34944932dd31fa4c932ac491b
Instruction ID: 61f56eda4d9c466ad0fc522fad22e131898196016961838438ff992834fccee4
Opcode Fuzzy Hash: f4dffbf3ed5944fa9fdb0474198cf2cc9dcdebd34944932dd31fa4c932ac491b
Instruction Fuzzy Hash: 504151B1D05A548FE759CF678C4028AFBF3AFC9211F18C1BAC44C9A255EB3409868F51

Uniqueness

Uniqueness Score: -1.00%

Function 07BF0040 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.358828735.0000000007BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7bf0000_cRC31pEDkr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae367e695a5eefa490f24da940aa79663dad7e2d99f2c7ba76e9a0740b04e914
Instruction ID: 8d2e354e3f1331e7631e6a63377b72ec0b653c17290fa82999e92469d1c26c8e
Opcode Fuzzy Hash: ae367e695a5eefa490f24da940aa79663dad7e2d99f2c7ba76e9a0740b04e914
Instruction Fuzzy Hash: A84175B1D05A588BEB6CCF6BCD4469EFAF3AFC9201F14C1BA941DAB255DB7009458F00

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: KgZEfacljaFey.exePID: 6040, Parent PID: 1084COMMON

Execution Graph

Execution Coverage:	11.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	235
Total number of Limit Nodes:	7

Executed Functions

Function 01279A50 Relevance: 1.7, APIs: 1, Instructions: 192
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01279C96

Memory Dump Source

Source File: 00000007.00000002.386818436.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1270000_KgZEfacljaFey.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a348e7c2d4dd3f5f3977860c899b2834ab5272a56798928e5c5794f4ff794d79
Instruction ID: f5d31eaf6094bc91f648ea064ae273e3d0785b0a5e0bfe6550355a815c57ed00
Opcode Fuzzy Hash: a348e7c2d4dd3f5f3977860c899b2834ab5272a56798928e5c5794f4ff794d79
Instruction Fuzzy Hash: F2714670A10B068FDB64DF2AC54476BBBF1BF88214F10892ED58AD7A50E735E845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01275364 Relevance: 1.6, APIs: 1, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 01275421

Memory Dump Source

Source File: 00000007.00000002.386818436.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1270000_KgZEfacljaFey.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 42376c8005652ea3bd8f100a71921de8b336164ee7622f83eaa7be4186236029
Instruction ID: 0cea181281f3759f60aa71aa7bc13be33a30b1554b2e84f8fb72004d0355e166
Opcode Fuzzy Hash: 42376c8005652ea3bd8f100a71921de8b336164ee7622f83eaa7be4186236029
Instruction Fuzzy Hash: 0C511271D00619CFDB20CFA9C9847DEFBB1BF48314F20806AD419AB251D7746986CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 052A048C Relevance: 1.6, APIs: 1, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 052A05AA

Memory Dump Source

Source File: 00000007.00000002.392495558.00000000052A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_52a0000_KgZEfacljaFey.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 2c30d39aecb8ef5b7cd1ef8f1fcc811280cbf137ea1bfec2ac2e3f8d26a704e3
Instruction ID: 6f2ec14985678f8e9bad53cb4c952b8dd2a9749317d00e178651a6b48f772a26
Opcode Fuzzy Hash: 2c30d39aecb8ef5b7cd1ef8f1fcc811280cbf137ea1bfec2ac2e3f8d26a704e3
Instruction Fuzzy Hash: FD51C2B1D10309DFDB14CFAAD884ADEBFB5BF48310F64812AE419AB210D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 052A0498 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 052A05AA

Memory Dump Source

Source File: 00000007.00000002.392495558.00000000052A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_52a0000_KgZEfacljaFey.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: f27d9d713f91eebd221a2379b7f431020ae4c1af4a2552374f2a10495e824d9c
Instruction ID: 1ad07b075c65dfff31adc8497a7c955c400c45718b0441671d9eaa7d6afadbcf
Opcode Fuzzy Hash: f27d9d713f91eebd221a2379b7f431020ae4c1af4a2552374f2a10495e824d9c
Instruction Fuzzy Hash: 7B41A0B1D10309DFDB14CF9AD884ADEBBB5BF88310F64852AE419AB210D775A985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01273DE8 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 01275421

Memory Dump Source

Source File: 00000007.00000002.386818436.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1270000_KgZEfacljaFey.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d165348964321717afa73ee33a75db22ed3a0b50951c022e6866cfae4a3381fa
Instruction ID: b1eac1f9faa83c5c93ab03f249249505e1ebd9387678519374a9ab066c6e6467
Opcode Fuzzy Hash: d165348964321717afa73ee33a75db22ed3a0b50951c022e6866cfae4a3381fa
Instruction Fuzzy Hash: E141E171D0061DCEDB24DFA9C88479EFBB5BF48304F608069D419AB251DBB56986CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 052A2A50 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 052A2B11

Memory Dump Source

Source File: 00000007.00000002.392495558.00000000052A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_52a0000_KgZEfacljaFey.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 5162623e6d2fb7ab1852228d0beaa8fcf47f29fb9c001ebb75c27ab625469250
Instruction ID: 1c11ee73a2b93d9ebc2f652edf18de5a4d1fbf55b9591a410268700a8b001a1b
Opcode Fuzzy Hash: 5162623e6d2fb7ab1852228d0beaa8fcf47f29fb9c001ebb75c27ab625469250
Instruction Fuzzy Hash: 1641E8B9910345CFDB14CF99C589BAABBF5FF88314F248459D419AB321D774A881CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0127A764 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0127BF3E,?,?,?,?,?), ref: 0127BFFF

Memory Dump Source

Source File: 00000007.00000002.386818436.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1270000_KgZEfacljaFey.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 94e2e23bf91c967208895fcbf3057e39c1a3531acf4a95e08c7da159b582a8bc
Instruction ID: 21e69d2bef58148986a2a564995dd0c30d5a6c9f429b89c95967a0c80b544735
Opcode Fuzzy Hash: 94e2e23bf91c967208895fcbf3057e39c1a3531acf4a95e08c7da159b582a8bc
Instruction Fuzzy Hash: 2D2114B5900209DFDB10CFAAD984AEEBFF4EB48320F14801AE915B7310D374A950DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0127BF70 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0127BF3E,?,?,?,?,?), ref: 0127BFFF

Memory Dump Source

Source File: 00000007.00000002.386818436.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1270000_KgZEfacljaFey.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ec8c5876b3efde1aefeba6c8669cd13a52340ffff367ea079b9867dcd0ee199c
Instruction ID: d3b493462d8872a787f057bb55c74cdee3889af68da6a8072392ba000ce5e677
Opcode Fuzzy Hash: ec8c5876b3efde1aefeba6c8669cd13a52340ffff367ea079b9867dcd0ee199c
Instruction Fuzzy Hash: 8621E4B5D002099FDB10CFA9D584ADEBFF4EB48320F14845AE915B7310D375A954DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 01278FC0 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01279D11,00000800,00000000,00000000), ref: 01279F22

Memory Dump Source

Source File: 00000007.00000002.386818436.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1270000_KgZEfacljaFey.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d864ae1342ae5b4b7ea6c1475bd3383047017343ffab110a4582f8070ea8953d
Instruction ID: 820692a68996700c072ff33612f4a3c949441a76c7b12c5c461fc9c946b1d9c7
Opcode Fuzzy Hash: d864ae1342ae5b4b7ea6c1475bd3383047017343ffab110a4582f8070ea8953d
Instruction Fuzzy Hash: C01103B69103098FDB10CF9AD444ADFBBF4AB48324F14842AE919A7200C3B8A585CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01279EB2 Relevance: 1.6, APIs: 1, Instructions: 54
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01279D11,00000800,00000000,00000000), ref: 01279F22

Memory Dump Source

Source File: 00000007.00000002.386818436.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1270000_KgZEfacljaFey.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ccb7c381f4798d8f3849b1f112dc0d3ce0cf8cf99510f3b26c6b5e6b2df40204
Instruction ID: c7b913b0f2b3daecb3ce7ec8a9001c949c38993000ccab203be42b10bdca09e0
Opcode Fuzzy Hash: ccb7c381f4798d8f3849b1f112dc0d3ce0cf8cf99510f3b26c6b5e6b2df40204
Instruction Fuzzy Hash: 421123B6D002098FDB10CFAAD444BDFFBF4AB88324F14842EE519A7610C379A585CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01279C30 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01279C96

Memory Dump Source

Source File: 00000007.00000002.386818436.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1270000_KgZEfacljaFey.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 91e01ac0f62d2c3e162a47247119c89a5a9faef97856e2dda09afade2d0af927
Instruction ID: 806554426f2cb34700b3cd3c38d5b9ae038e74239184d09004a8874939a7ac79
Opcode Fuzzy Hash: 91e01ac0f62d2c3e162a47247119c89a5a9faef97856e2dda09afade2d0af927
Instruction Fuzzy Hash: 2311DFB6C003498FDB10CF9AD544ADEFBF4AB88224F14842AD519B7610C375A585CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 052A06D8 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowLongW.USER32(?,?,?), ref: 052A073D

Memory Dump Source

Source File: 00000007.00000002.392495558.00000000052A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_52a0000_KgZEfacljaFey.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: b2ef9d2f80419ce2aa94d4a91b96e4c299e3c508208628967c1183d8abdae071
Instruction ID: 7262fb33ed4e3999ed85a93e658518e3f5c2ada38fbb05e901be2d9e988ab325
Opcode Fuzzy Hash: b2ef9d2f80419ce2aa94d4a91b96e4c299e3c508208628967c1183d8abdae071
Instruction Fuzzy Hash: F61103B68002498FDB10CF99D588BDEBBF4EF48320F24855AD459B7700C374AA44CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 052A06E0 Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowLongW.USER32(?,?,?), ref: 052A073D

Memory Dump Source

Source File: 00000007.00000002.392495558.00000000052A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_52a0000_KgZEfacljaFey.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: ae342028ce0c35913ee75f2aef31b2940383fe18bb4572920d871bac7449539c
Instruction ID: 873daaa1f5b582f3a294288a4bdb0d1bcf3f8f592a0fa4a9158bac906868c6c7
Opcode Fuzzy Hash: ae342028ce0c35913ee75f2aef31b2940383fe18bb4572920d871bac7449539c
Instruction Fuzzy Hash: B111E5B58002099FDB10CF9AD588BDEBBF8EB48324F20845AD959B7700C374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0121D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.386264675.000000000121D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_121d000_KgZEfacljaFey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f16402310c056bda69937bbdaeb64d7fd43b9002f4b74cccad21abb3613e1d68
Instruction ID: bdf7f5e24803e09d155b9eb49b2cdd6be40620f74d488720ce5df2584a29b270
Opcode Fuzzy Hash: f16402310c056bda69937bbdaeb64d7fd43b9002f4b74cccad21abb3613e1d68
Instruction Fuzzy Hash: 9C216A71514244EFDB15DF58E8C4B27BFA1FB94328F20C569D9050B20AC336D846C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 0122D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.386430741.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_122d000_KgZEfacljaFey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45ac567bc5b204fc132a3189988c660cf210697bbc1b71b3c892fc69c058da4a
Instruction ID: 2d455b5a3357c69ec25327e1b6245e6ea78c0a347965773282b39a264d4d5a6d
Opcode Fuzzy Hash: 45ac567bc5b204fc132a3189988c660cf210697bbc1b71b3c892fc69c058da4a
Instruction Fuzzy Hash: 04212571514248EFDB05CF98D5C0B1ABBA5FB84324F20CA6DD9494B247C376D846CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0122D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.386430741.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_122d000_KgZEfacljaFey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e250dea505b48e137213bbb12592459a1ef814051a84fddbe00aa0cd8659eeb
Instruction ID: 67603ce21aaac8ea5e7a3a7da8c47c27da5980ac526245f86f68128059ae4c66
Opcode Fuzzy Hash: 0e250dea505b48e137213bbb12592459a1ef814051a84fddbe00aa0cd8659eeb
Instruction Fuzzy Hash: 11216771514248EFCB11CF58D4C0B1ABF61FB84354F20C96DD94A0B256C33AD907CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0122D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.386430741.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_122d000_KgZEfacljaFey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e0465e189620865d534ff85b31835ed6beffad07ac7f87f2d57c63325b0a9ad
Instruction ID: 9d8fbee418874f8555b8f0953523c1ac6d1f17de6cdd3ac14517d4d8ee74cc72
Opcode Fuzzy Hash: 8e0465e189620865d534ff85b31835ed6beffad07ac7f87f2d57c63325b0a9ad
Instruction Fuzzy Hash: 4F217F755083849FCB02CF24D994B15BF71EB46314F28C5EAD9858F267C33A985ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0121D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.386264675.000000000121D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_121d000_KgZEfacljaFey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3d282c62180620417641dd9b9a0e49e7b7255b4f86f8dc055538552fd58bc37
Instruction ID: 487d30f196f66a50fef1032c8bd6e2631915478f7e32d562640c37098bf3b1e4
Opcode Fuzzy Hash: b3d282c62180620417641dd9b9a0e49e7b7255b4f86f8dc055538552fd58bc37
Instruction Fuzzy Hash: A1110376404284DFCB16CF14D5C4B16BFB1FB84324F24C6A9D9440B61AC336D45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0122D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.386430741.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_122d000_KgZEfacljaFey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f825cc49a36603e58b05d30dbcded4ff69a659c0c942629433790640a090c2f4
Instruction ID: 53f369a2d4068362632f4add887f87b7c7ad76261e15585961d3c901c702ae70
Opcode Fuzzy Hash: f825cc49a36603e58b05d30dbcded4ff69a659c0c942629433790640a090c2f4
Instruction Fuzzy Hash: EB11BB75904284EFDB02CF54C5C0B19BBA1FB85324F28C6ADD9494B657C33AD44ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 0121D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.386264675.000000000121D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_121d000_KgZEfacljaFey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef355ff43589f21b0fb969b444c7f01a69cae61a773ee21a7dd1dee911753e98
Instruction ID: 457a76b1342cfb86a354cd20c4eea9b42d841ed09cdb206205ee5098ab1907c5
Opcode Fuzzy Hash: ef355ff43589f21b0fb969b444c7f01a69cae61a773ee21a7dd1dee911753e98
Instruction Fuzzy Hash: 8201FC315143C8DAE714CE59CC88B67BFD8DF51634F08851AEE051F24AD3B89842C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 0121D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.386264675.000000000121D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_121d000_KgZEfacljaFey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75d34363ba8bbf02fb4ba71aab2876ac90dc87ce67ef52a433456f7a299006f1
Instruction ID: 5a950ba74b91b79ed53bf7dd90f60a88593785095f3f4314e8848c9373b5d0c7
Opcode Fuzzy Hash: 75d34363ba8bbf02fb4ba71aab2876ac90dc87ce67ef52a433456f7a299006f1
Instruction Fuzzy Hash: 9BF0C2714042889EE7158E59DC88B63FFD8EF91634F18C45AEE085F286C3B89845CAB1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: cRC31pEDkr.exePID: 1876, Parent PID: 4064COMMON

Execution Graph

Execution Coverage:	8.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	178
Total number of Limit Nodes:	7

Executed Functions

Function 05E22FA0 Relevance: 1.7, APIs: 1, Instructions: 205
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.567934290.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5e20000_cRC31pEDkr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 568428a56625dc60de49505fe670b25437e529ffe88d99d15de17c0db9055a42
Instruction ID: 5ad262770b98800a0dbe4468cef485746ea24b46b44dd2564b49b311f47a852d
Opcode Fuzzy Hash: 568428a56625dc60de49505fe670b25437e529ffe88d99d15de17c0db9055a42
Instruction Fuzzy Hash: B3816871D043198FDF10DFA9C881ADEBBB1FF48304F10852AE855AB254DB79A946CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04CB93E8 Relevance: 1.7, APIs: 1, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 04CB962E

Memory Dump Source

Source File: 0000000A.00000002.566535792.0000000004CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4cb0000_cRC31pEDkr.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7b159b5f5648ef6867103ce1d44c57bca8ad014637be50dda7b223d0b6de6f17
Instruction ID: 1debfded7750be85715335705a6861d42d80f213e3b99c775555c749b85d4440
Opcode Fuzzy Hash: 7b159b5f5648ef6867103ce1d44c57bca8ad014637be50dda7b223d0b6de6f17
Instruction Fuzzy Hash: FD7113B0A00B058FD764DF2AC45079ABBF2BF88314F108A29E58AD7A50D774F9468F91

Uniqueness

Uniqueness Score: -1.00%

Function 05E2304C Relevance: 1.6, APIs: 1, Instructions: 140
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 05E23180

Memory Dump Source

Source File: 0000000A.00000002.567934290.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5e20000_cRC31pEDkr.jbxd

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: bfdf01b19b366920d0bec923f3aa70054d911fc3e52cd3d150996d9af4750ca1
Instruction ID: d67750c53ca86764cd9e872f1e073ff7d74f34ef1724047e364e5e759ae08248
Opcode Fuzzy Hash: bfdf01b19b366920d0bec923f3aa70054d911fc3e52cd3d150996d9af4750ca1
Instruction Fuzzy Hash: EB514671D003589FDB10CFA9C881ADEBBB1FF48304F14842AE855AB254DB796886CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05E21A1C Relevance: 1.6, APIs: 1, Instructions: 140
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 05E23180

Memory Dump Source

Source File: 0000000A.00000002.567934290.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5e20000_cRC31pEDkr.jbxd

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: 4e254e64b74c95ae20f8e1337d92a34fb277a718d2910074bb6fdcb732040333
Instruction ID: c48cf52f033abcd48981cb1c4d7e3c70106e9d29f52d78931782a4f3fa154dcc
Opcode Fuzzy Hash: 4e254e64b74c95ae20f8e1337d92a34fb277a718d2910074bb6fdcb732040333
Instruction Fuzzy Hash: C85145B1D0031C9FDB10CFA9C885ADEBBB1FF48304F24852AE855AB254DB786885CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04CBFBEC Relevance: 1.6, APIs: 1, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04CBFD0A

Memory Dump Source

Source File: 0000000A.00000002.566535792.0000000004CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4cb0000_cRC31pEDkr.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 395e61ab29de29779ccc07727ce06754ce46be06a3cd5b092ec9ce5341973d80
Instruction ID: 1b6788ffd7f4f9bae7e2f144f7b910e243904a1d567b51cb24dcb41e74a9234e
Opcode Fuzzy Hash: 395e61ab29de29779ccc07727ce06754ce46be06a3cd5b092ec9ce5341973d80
Instruction Fuzzy Hash: 2351A2B1D102099FDB14CFA9D884ADEBBB5FF48314F24812AE815AB214D775A985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04CBDA04 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04CBFD0A

Memory Dump Source

Source File: 0000000A.00000002.566535792.0000000004CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4cb0000_cRC31pEDkr.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: faad8c799d398dd47abcffdd409ec6da3a10f367c995278f25424dcde6bc57df
Instruction ID: eef8a56fc2abcb2ff63fb25a029a7613ce1cf2201935d6c7210292d0ccc7199a
Opcode Fuzzy Hash: faad8c799d398dd47abcffdd409ec6da3a10f367c995278f25424dcde6bc57df
Instruction Fuzzy Hash: 0D51A2B1D10309DFDB14CFAAC884ADEBBB5BF48310F24812AE415AB214D775A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04CBA14C Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,04CBBCC6,?,?,?,?,?), ref: 04CBBD87

Memory Dump Source

Source File: 0000000A.00000002.566535792.0000000004CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4cb0000_cRC31pEDkr.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 684e16630d1b8c3ab3350db6061dbb85a6ef02d1996ac15323b28bb5e0e21427
Instruction ID: 78817018626a7cc9abae547712d3013fbbac0a63bcaa8eceb54e1963ef0c48a6
Opcode Fuzzy Hash: 684e16630d1b8c3ab3350db6061dbb85a6ef02d1996ac15323b28bb5e0e21427
Instruction Fuzzy Hash: 5421E6B59002099FDB10CFAAD984ADEBFF5FB48310F14841AE954B7310D378A944DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04CBBCF9 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,04CBBCC6,?,?,?,?,?), ref: 04CBBD87

Memory Dump Source

Source File: 0000000A.00000002.566535792.0000000004CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4cb0000_cRC31pEDkr.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 304ed7c4de2163d93bf36f80effcc6c6cd33087da22fb4b13dfaf49fa6ab05d8
Instruction ID: 0ae039a23fb237da6a3d5f3a2c32efefa6f3136ffbaef7fa7ecfb3e1244a342d
Opcode Fuzzy Hash: 304ed7c4de2163d93bf36f80effcc6c6cd33087da22fb4b13dfaf49fa6ab05d8
Instruction Fuzzy Hash: E821E2B5D00209DFDB00CFAAD584ADEBBF5FB48320F14841AE955A7310D378AA54DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04CB8768 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,04CB96A9,00000800,00000000,00000000), ref: 04CB98BA

Memory Dump Source

Source File: 0000000A.00000002.566535792.0000000004CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4cb0000_cRC31pEDkr.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d6a4a99ea18ce0a3fcf8510c73f484ce0c22de2513e001cb46af29c0fcad29fa
Instruction ID: f961f6691299ad058fc0583d3a28d54c3db30f854ae9393779299ff26abdb186
Opcode Fuzzy Hash: d6a4a99ea18ce0a3fcf8510c73f484ce0c22de2513e001cb46af29c0fcad29fa
Instruction Fuzzy Hash: 641114B6D002099FDB10CF9AC444ADEFBF5EB88310F14842ED555B7600C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04D932D8 Relevance: 1.6, APIs: 1, Instructions: 51
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,025153E8,00000000,?), ref: 04D9E73D

Memory Dump Source

Source File: 0000000A.00000002.567000847.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d90000_cRC31pEDkr.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 07ef436801a18e3dbcbb3e320aa564c7781e683d3bd971fac9fa52517bc88195
Instruction ID: dc6f07fb89c5c35916922fd25f0d0fd741bda03536c6841c321d69404472e88e
Opcode Fuzzy Hash: 07ef436801a18e3dbcbb3e320aa564c7781e683d3bd971fac9fa52517bc88195
Instruction Fuzzy Hash: E11128B59003099FDB10CF9AC885BEEBBF8FB48320F108429E554B7241D378A984DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04CB984B Relevance: 1.6, APIs: 1, Instructions: 51
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,04CB96A9,00000800,00000000,00000000), ref: 04CB98BA

Memory Dump Source

Source File: 0000000A.00000002.566535792.0000000004CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4cb0000_cRC31pEDkr.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 92d64630eabdac610c0e90fb663c3e3b2537fc90b746de2cdfeea4038f08481e
Instruction ID: 413d6a8477c9417eac190be16f06277dc52f16470963afe37957d44d9d368236
Opcode Fuzzy Hash: 92d64630eabdac610c0e90fb663c3e3b2537fc90b746de2cdfeea4038f08481e
Instruction Fuzzy Hash: 9C11F3B6D002098FDB10CFAAD484ADEFBF5AB88310F14842ED565B7610C379A645CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04D9E6D8 Relevance: 1.6, APIs: 1, Instructions: 50
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,025153E8,00000000,?), ref: 04D9E73D

Memory Dump Source

Source File: 0000000A.00000002.567000847.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d90000_cRC31pEDkr.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 09247dcb58d1c6d586c986338423f2d5db2edca89f636792f8125dd69953f276
Instruction ID: 89c8c14da1d19c633b5711c06c339bef6c72b9f50bfe118bdbba708f3ec876eb
Opcode Fuzzy Hash: 09247dcb58d1c6d586c986338423f2d5db2edca89f636792f8125dd69953f276
Instruction Fuzzy Hash: BE1119B18002499FDB10CF99C984BEEBBF4FB48324F248559D454A7251C774A985CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04D9D238 Relevance: 1.5, APIs: 1, Instructions: 48
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageW.USER32(?,00000018,00000001,?), ref: 04D9D29D

Memory Dump Source

Source File: 0000000A.00000002.567000847.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d90000_cRC31pEDkr.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 20d4666cc33c8c65d5ff47034cbcc56de0acea9a6fa7c1ab071693728dbc5e45
Instruction ID: 8637c6ee88e54b9e40a3755a529602ded6a995948bae8f76841aafb6585f26a0
Opcode Fuzzy Hash: 20d4666cc33c8c65d5ff47034cbcc56de0acea9a6fa7c1ab071693728dbc5e45
Instruction Fuzzy Hash: CB11F2B58002499FDB10CF9AD584BDEBFF4FB48320F20845AE455A7610C379A985CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04D91540 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000020A,?,?,?,?,?,?,04D9226A,?,00000000,?), ref: 04D9C435

Memory Dump Source

Source File: 0000000A.00000002.567000847.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d90000_cRC31pEDkr.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: ac76813a95628074fce1bd144032033d376e5c003079d5f2c51a01b7026c1c06
Instruction ID: f80b56f0d1d862de89d82024fed9231d207bba5ecc01fd4b95c9242ee08a2c6b
Opcode Fuzzy Hash: ac76813a95628074fce1bd144032033d376e5c003079d5f2c51a01b7026c1c06
Instruction Fuzzy Hash: 3511F2B59003499FDB10CF9AC984BEEBBF8EB48724F108419E555B7600D3B5A984CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04D950D4 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000018,00000001,?), ref: 04D9D29D

Memory Dump Source

Source File: 0000000A.00000002.567000847.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d90000_cRC31pEDkr.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 9acc0eee632a71d019bcde91a941aed540dfcc00e4ff4f5cd42464794a3d7f83
Instruction ID: b6fcb3de925a070c64fa159007356d5d0d5b4db964c4c24a4c78af0e015cb158
Opcode Fuzzy Hash: 9acc0eee632a71d019bcde91a941aed540dfcc00e4ff4f5cd42464794a3d7f83
Instruction Fuzzy Hash: 7E11F2B59002099FEB10CF9AC584BDEBBF8EB48320F10841AE955B7300C3B5A984CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04CB95C8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 04CB962E

Memory Dump Source

Source File: 0000000A.00000002.566535792.0000000004CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4cb0000_cRC31pEDkr.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 2d22ee65a1df6946623734ae94071a43375b8f5145940de47b870671a815ebf3
Instruction ID: 2c29750e52c843eaf6853a609f526b5a6820a7a2f1ab2411adc3b7c26fe35360
Opcode Fuzzy Hash: 2d22ee65a1df6946623734ae94071a43375b8f5145940de47b870671a815ebf3
Instruction Fuzzy Hash: 701110B2C002098FDB10CF9AC444ADEFBF4AF88324F10842AD469B7600C379A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04CBDA3C Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,04CBFE28,?,?,?,?), ref: 04CBFE9D

Memory Dump Source

Source File: 0000000A.00000002.566535792.0000000004CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4cb0000_cRC31pEDkr.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 49673d5cdaefad60ab38db7f5bb3cc0be0f784d6de994ddf731d64aaa31e3274
Instruction ID: 3ee10383d6534b77ca91d598da436b35fd2b106be21c35a2b0bcc1b5cfe42523
Opcode Fuzzy Hash: 49673d5cdaefad60ab38db7f5bb3cc0be0f784d6de994ddf731d64aaa31e3274
Instruction Fuzzy Hash: DD1103B59002499FDB10CF9AD984BEFBBF8EB88324F10845AE955B7341C374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04D9DC60 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 04D9F435

Memory Dump Source

Source File: 0000000A.00000002.567000847.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d90000_cRC31pEDkr.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 18f944eb01663eb3536519e2fea3d0ff0d16476a64df10735d6e5855b027cde3
Instruction ID: da9a70f88123e8c604dfc31cba02934f42d7adbd5c6d01b6907fb87e1b0df998
Opcode Fuzzy Hash: 18f944eb01663eb3536519e2fea3d0ff0d16476a64df10735d6e5855b027cde3
Instruction Fuzzy Hash: 271115B19002498FDB10CFAAD584BDEBBF4EB48324F108459D559F7700D378A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04CBFE3B Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,04CBFE28,?,?,?,?), ref: 04CBFE9D

Memory Dump Source

Source File: 0000000A.00000002.566535792.0000000004CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4cb0000_cRC31pEDkr.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 3d1f09d45cb4aa584299cca0aa334b104fff70c661ec5f717636f9c5d917265d
Instruction ID: 068f7e311ae95e0e61af23e2304b285279c3d71accc0e3124c2940caba057fd9
Opcode Fuzzy Hash: 3d1f09d45cb4aa584299cca0aa334b104fff70c661ec5f717636f9c5d917265d
Instruction Fuzzy Hash: BB1115B59002498FDB10CF9AD984BDEBBF4EB88320F20851AD855B7741C379A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04D9F3D8 Relevance: 1.5, APIs: 1, Instructions: 44comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 04D9F435

Memory Dump Source

Source File: 0000000A.00000002.567000847.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d90000_cRC31pEDkr.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 587a577e721ee5ebd0985a0e85085507d1f9ecd1a1d3aa781b5c45894e955571
Instruction ID: 8d3315e49fc6fcfc834d198c4685ce768d4e5d704de0827558dff24e52e7f1bf
Opcode Fuzzy Hash: 587a577e721ee5ebd0985a0e85085507d1f9ecd1a1d3aa781b5c45894e955571
Instruction Fuzzy Hash: 7E1112B5900209CFDB10CFA9D5887CEBFF4AB48324F208429D559F7610D379A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04D9C3D0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000020A,?,?,?,?,?,?,04D9226A,?,00000000,?), ref: 04D9C435

Memory Dump Source

Source File: 0000000A.00000002.567000847.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4d90000_cRC31pEDkr.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: f66c4f76e96f9ac8485192a5c1b31d97f1482647ee165cd3b79402ad3a1f4113
Instruction ID: 9a2a760dd65b565edded53e5616ad8f8eaa8f2873490cb36bb33a1fc2248da5d
Opcode Fuzzy Hash: f66c4f76e96f9ac8485192a5c1b31d97f1482647ee165cd3b79402ad3a1f4113
Instruction Fuzzy Hash: F41130B59003498FDB10CF99D584BDEBBF4FB48324F20881AD495A7200C374A994CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A6D4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.561075587.0000000000A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a6d000_cRC31pEDkr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01d7d7980893a8b1365a7533f28e17204e5efdc9f46358bbfa40bdbc59a24636
Instruction ID: a4969d90ea2e9a734afb8fb43f2550b2184d58b9f9a2af2724730b7e3ca8402e
Opcode Fuzzy Hash: 01d7d7980893a8b1365a7533f28e17204e5efdc9f46358bbfa40bdbc59a24636
Instruction Fuzzy Hash: 522167B1A04240DFDB11CF04D9C0B27BF71FB88368F208569E9060B606C336EC46DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A6D3B4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.561075587.0000000000A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a6d000_cRC31pEDkr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d58570459b07ac75c9cebb29eeeb800a9f9edfc1ce67908bcc0f1dee0aca0cb
Instruction ID: d9e2f6ea0955bc0d15dee88ce4cf41adf5576318b018ac9c54351a5870d65d6c
Opcode Fuzzy Hash: 6d58570459b07ac75c9cebb29eeeb800a9f9edfc1ce67908bcc0f1dee0aca0cb
Instruction Fuzzy Hash: C92125B1A04240EFDB05DF14D8C4B16BF75FB983A4F24C569E8050B246C736EC46D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00A6D3AF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.561075587.0000000000A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a6d000_cRC31pEDkr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3d282c62180620417641dd9b9a0e49e7b7255b4f86f8dc055538552fd58bc37
Instruction ID: 1be804591e5e89936ab5bfa526de1d141717d133587dcd77c643a60fac959753
Opcode Fuzzy Hash: b3d282c62180620417641dd9b9a0e49e7b7255b4f86f8dc055538552fd58bc37
Instruction Fuzzy Hash: 5111E676904280CFCB16CF10D5C4B16BF71FB94324F24C6A9D8450B616C336E856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A6D49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.561075587.0000000000A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a6d000_cRC31pEDkr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3d282c62180620417641dd9b9a0e49e7b7255b4f86f8dc055538552fd58bc37
Instruction ID: ab3a1fe336dac44fd8c21afccfd79b6a77c403bfdb3ed1198a9cdaa284c95f93
Opcode Fuzzy Hash: b3d282c62180620417641dd9b9a0e49e7b7255b4f86f8dc055538552fd58bc37
Instruction Fuzzy Hash: 4311D376904280CFDB16CF14D5C4B56BF71FB84324F24C6A9D9054B656C336D856CBA2

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report cRC31pEDkr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

AV Detection

E-Banking Fraud

Persistence and Installation Behavior

Stealing of Sensitive Information

Remote Access Functionality

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\KgZEfacljaFey.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cRC31pEDkr.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l55gaxga.5bu.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wn1bnogj.r25.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xlbtqxm5.ana.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z0sc0zox.gi0.ps1

C:\Users\user\AppData\Local\Temp\tmp5E04.tmp

C:\Users\user\AppData\Local\Temp\tmpAD4D.tmp

Windows Analysis Report
cRC31pEDkr.exe

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre