Edit tour

Windows Analysis Report
cRC31pEDkr.exe

Overview

General Information

Sample Name:	cRC31pEDkr.exe
Analysis ID:	800441
MD5:	ac2609d2181f756550e3c180329b121c
SHA1:	2ac2462013be76e3bb606c7deaec5e0e4609cd59
SHA256:	9730aee1d4d04bb12e1df2a5550741eed7266625f8d99443dd0cd0dffca07112
Tags:	exeNanoCore
Infos:

Detection

Nanocore, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected zgRAT

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Yara detected AntiVM3

Detected Nanocore Rat

Sigma detected: Scheduled temp file as task from temp location

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Adds a directory exclusion to Windows Defender

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses dynamic DNS services

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Binary contains a suspicious time stamp

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

cRC31pEDkr.exe (PID: 4064 cmdline: C:\Users\user\Desktop\cRC31pEDkr.exe MD5: AC2609D2181F756550E3C180329B121C)

powershell.exe (PID: 3492 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\cRC31pEDkr.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 4580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 4332 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 4592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 4724 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KgZEfacljaFey" /XML "C:\Users\user\AppData\Local\Temp\tmp5E04.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cRC31pEDkr.exe (PID: 4980 cmdline: C:\Users\user\Desktop\cRC31pEDkr.exe MD5: AC2609D2181F756550E3C180329B121C)

cRC31pEDkr.exe (PID: 4556 cmdline: C:\Users\user\Desktop\cRC31pEDkr.exe MD5: AC2609D2181F756550E3C180329B121C)

cRC31pEDkr.exe (PID: 1876 cmdline: C:\Users\user\Desktop\cRC31pEDkr.exe MD5: AC2609D2181F756550E3C180329B121C)

KgZEfacljaFey.exe (PID: 6040 cmdline: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe MD5: AC2609D2181F756550E3C180329B121C)

schtasks.exe (PID: 5600 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KgZEfacljaFey" /XML "C:\Users\user\AppData\Local\Temp\tmpAD4D.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 2056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

KgZEfacljaFey.exe (PID: 5196 cmdline: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe MD5: AC2609D2181F756550E3C180329B121C)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "e971e6b5-1c8b-4bb4-a1a3-7f94e076", "Group": "Ebube", "Domain1": "elzy.ddns.net", "Domain2": "127.0.0.1", "Port": 2000, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000E.00000002.404051124.0000000003B49000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.404051124.0000000003B49000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x42f0d:$a: NanoCore 0x42f66:$a: NanoCore 0x42fa3:$a: NanoCore 0x4301c:$a: NanoCore 0x566c7:$a: NanoCore 0x566dc:$a: NanoCore 0x56711:$a: NanoCore 0x6f183:$a: NanoCore 0x6f198:$a: NanoCore 0x6f1cd:$a: NanoCore 0x42f6f:$b: ClientPlugin 0x42fac:$b: ClientPlugin 0x438aa:$b: ClientPlugin 0x438b7:$b: ClientPlugin 0x56483:$b: ClientPlugin 0x5649e:$b: ClientPlugin 0x564ce:$b: ClientPlugin 0x566e5:$b: ClientPlugin 0x5671a:$b: ClientPlugin 0x6ef3f:$b: ClientPlugin 0x6ef5a:$b: ClientPlugin
0000000E.00000002.404051124.0000000003B49000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x42fa3:$a1: NanoCore.ClientPluginHost 0x56711:$a1: NanoCore.ClientPluginHost 0x6f1cd:$a1: NanoCore.ClientPluginHost 0x42f66:$a2: NanoCore.ClientPlugin 0x566dc:$a2: NanoCore.ClientPlugin 0x6f198:$a2: NanoCore.ClientPlugin 0x4333a:$b1: get_BuilderSettings 0x5b657:$b1: get_BuilderSettings 0x74113:$b1: get_BuilderSettings 0x42ff1:$b4: IClientAppHost 0x433ab:$b6: AddHostEntry 0x4341a:$b7: LogClientException 0x5b5c6:$b7: LogClientException 0x74082:$b7: LogClientException 0x4338f:$b8: PipeExists 0x42fde:$b9: IClientLoggingHost 0x5672b:$b9: IClientLoggingHost 0x6f1e7:$b9: IClientLoggingHost
0000000A.00000002.562803290.00000000026D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000A.00000002.562803290.00000000026D1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x36139:$a1: NanoCore.ClientPluginHost 0x360fc:$a2: NanoCore.ClientPlugin 0x364d0:$b1: get_BuilderSettings 0x36187:$b4: IClientAppHost 0x36541:$b6: AddHostEntry 0x365b0:$b7: LogClientException 0x36525:$b8: PipeExists 0x36174:$b9: IClientLoggingHost
0000000A.00000002.567364411.0000000005290000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
0000000A.00000002.567364411.0000000005290000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
0000000A.00000002.567364411.0000000005290000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
0000000A.00000002.567364411.0000000005290000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
00000007.00000002.388126518.0000000002C71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000007.00000002.388126518.0000000002EED000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000E.00000002.401166525.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000002.401166525.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.401166525.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000E.00000002.401166525.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xff8d:$a1: NanoCore.ClientPluginHost 0xff4d:$a2: NanoCore.ClientPlugin 0x11ea6:$b1: get_BuilderSettings 0xfda9:$b2: ClientLoaderForm.resources 0x115c6:$b3: PluginCommand 0xff7e:$b4: IClientAppHost 0x1a3fe:$b5: GetBlockHash 0x124fe:$b6: AddHostEntry 0x161f1:$b7: LogClientException 0x1246b:$b8: PipeExists 0xffb7:$b9: IClientLoggingHost
00000000.00000002.350028595.000000000436A000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x45f6d:$x1: NanoCore.ClientPluginHost 0x7898d:$x1: NanoCore.ClientPluginHost 0x184c3d:$x1: NanoCore.ClientPluginHost 0x45faa:$x2: IClientNetworkHost 0x789ca:$x2: IClientNetworkHost 0x184c7a:$x2: IClientNetworkHost 0x49add:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7c4fd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1887ad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.350028595.000000000436A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.350028595.000000000436A000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x45cd5:$a: NanoCore 0x45ce5:$a: NanoCore 0x45f19:$a: NanoCore 0x45f2d:$a: NanoCore 0x45f6d:$a: NanoCore 0x786f5:$a: NanoCore 0x78705:$a: NanoCore 0x78939:$a: NanoCore 0x7894d:$a: NanoCore 0x7898d:$a: NanoCore 0x1849a5:$a: NanoCore 0x1849b5:$a: NanoCore 0x184be9:$a: NanoCore 0x184bfd:$a: NanoCore 0x184c3d:$a: NanoCore 0x45d34:$b: ClientPlugin 0x45f36:$b: ClientPlugin 0x45f76:$b: ClientPlugin 0x78754:$b: ClientPlugin 0x78956:$b: ClientPlugin 0x78996:$b: ClientPlugin
00000000.00000002.350028595.000000000436A000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x45f6d:$a1: NanoCore.ClientPluginHost 0x7898d:$a1: NanoCore.ClientPluginHost 0x184c3d:$a1: NanoCore.ClientPluginHost 0x45f2d:$a2: NanoCore.ClientPlugin 0x7894d:$a2: NanoCore.ClientPlugin 0x184bfd:$a2: NanoCore.ClientPlugin 0x47e86:$b1: get_BuilderSettings 0x7a8a6:$b1: get_BuilderSettings 0x186b56:$b1: get_BuilderSettings 0x45d89:$b2: ClientLoaderForm.resources 0x787a9:$b2: ClientLoaderForm.resources 0x184a59:$b2: ClientLoaderForm.resources 0x475a6:$b3: PluginCommand 0x79fc6:$b3: PluginCommand 0x186276:$b3: PluginCommand 0x45f5e:$b4: IClientAppHost 0x7897e:$b4: IClientAppHost 0x184c2e:$b4: IClientAppHost 0x503de:$b5: GetBlockHash 0x82dfe:$b5: GetBlockHash 0x18f0ae:$b5: GetBlockHash
00000000.00000002.345847320.0000000003251000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000A.00000002.566234207.000000000371B000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xfa3:$a1: NanoCore.ClientPluginHost 0xf66:$a2: NanoCore.ClientPlugin 0xff1:$b4: IClientAppHost 0xfde:$b9: IClientLoggingHost
0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
00000000.00000002.345847320.00000000033A6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000E.00000002.403629575.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.403629575.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6944b:$a: NanoCore 0x694a4:$a: NanoCore 0x694e1:$a: NanoCore 0x6955a:$a: NanoCore 0x694ad:$b: ClientPlugin 0x694ea:$b: ClientPlugin 0x69de8:$b: ClientPlugin 0x69df5:$b: ClientPlugin 0x5f09a:$e: KeepAlive 0x69935:$g: LogClientMessage 0x698b5:$i: get_Connected 0x59881:$j: #=q 0x598b1:$j: #=q 0x598ed:$j: #=q 0x59915:$j: #=q 0x59945:$j: #=q 0x59975:$j: #=q 0x599a5:$j: #=q 0x599d5:$j: #=q 0x599f1:$j: #=q 0x59a21:$j: #=q
0000000E.00000002.403629575.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x694e1:$a1: NanoCore.ClientPluginHost 0x694a4:$a2: NanoCore.ClientPlugin 0x5adbb:$b1: get_BuilderSettings 0x69878:$b1: get_BuilderSettings 0x6952f:$b4: IClientAppHost 0x698e9:$b6: AddHostEntry 0x5ad2a:$b7: LogClientException 0x69958:$b7: LogClientException 0x698cd:$b8: PipeExists 0x6951c:$b9: IClientLoggingHost
Process Memory Space: cRC31pEDkr.exe PID: 4064	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x104621:$x1: NanoCore.ClientPluginHost 0x10465e:$x2: IClientNetworkHost 0x108146:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1131c4:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x11f2af:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1449e4:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: cRC31pEDkr.exe PID: 4064	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: cRC31pEDkr.exe PID: 4064	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: cRC31pEDkr.exe PID: 4064	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1042ee:$a: NanoCore 0x1042fe:$a: NanoCore 0x1043bd:$a: NanoCore 0x1043cc:$a: NanoCore 0x1045cd:$a: NanoCore 0x1045e1:$a: NanoCore 0x104621:$a: NanoCore 0x10f82e:$a: NanoCore 0x10f840:$a: NanoCore 0x10f87c:$a: NanoCore 0x11b919:$a: NanoCore 0x11b92b:$a: NanoCore 0x11b967:$a: NanoCore 0x14104e:$a: NanoCore 0x141060:$a: NanoCore 0x14109c:$a: NanoCore 0x10434d:$b: ClientPlugin 0x104416:$b: ClientPlugin 0x1045ea:$b: ClientPlugin 0x10462a:$b: ClientPlugin 0x10f849:$b: ClientPlugin
Process Memory Space: cRC31pEDkr.exe PID: 4064	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x104621:$a1: NanoCore.ClientPluginHost 0x1045e1:$a2: NanoCore.ClientPlugin 0x1064ef:$b1: get_BuilderSettings 0x1043a2:$b2: ClientLoaderForm.resources 0x105c0f:$b3: PluginCommand 0x104612:$b4: IClientAppHost 0x10ea3a:$b5: GetBlockHash 0x106b47:$b6: AddHostEntry 0x111c5e:$b6: AddHostEntry 0x11dd49:$b6: AddHostEntry 0x14347e:$b6: AddHostEntry 0x10a83a:$b7: LogClientException 0x11579f:$b7: LogClientException 0x12188a:$b7: LogClientException 0x146fbf:$b7: LogClientException 0x106ab4:$b8: PipeExists 0x111bd2:$b8: PipeExists 0x11dcbd:$b8: PipeExists 0x1433f2:$b8: PipeExists 0x10464b:$b9: IClientLoggingHost
Process Memory Space: KgZEfacljaFey.exe PID: 6040	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: cRC31pEDkr.exe PID: 1876	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: cRC31pEDkr.exe PID: 1876	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x14dc:$a: NanoCore 0x1538:$a: NanoCore 0x15ae:$a: NanoCore 0xbe02:$a: NanoCore 0xbe5b:$a: NanoCore 0xbe98:$a: NanoCore 0xbf11:$a: NanoCore 0xc7b5:$a: NanoCore 0xc808:$a: NanoCore 0xc841:$a: NanoCore 0xc8b4:$a: NanoCore 0x679c8:$a: NanoCore 0x679dc:$a: NanoCore 0x681ff:$a: NanoCore 0x70f50:$a: NanoCore 0x70f65:$a: NanoCore 0x70f9a:$a: NanoCore 0x7611c:$a: NanoCore 0x7612f:$a: NanoCore 0x76161:$a: NanoCore 0x7ef63:$a: NanoCore
Process Memory Space: cRC31pEDkr.exe PID: 1876	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xbe98:$a1: NanoCore.ClientPluginHost 0x70f9a:$a1: NanoCore.ClientPluginHost 0x7eff9:$a1: NanoCore.ClientPluginHost 0xbe5b:$a2: NanoCore.ClientPlugin 0x70f65:$a2: NanoCore.ClientPlugin 0x7efbc:$a2: NanoCore.ClientPlugin 0xc212:$b1: get_BuilderSettings 0x75d6c:$b1: get_BuilderSettings 0xbee6:$b4: IClientAppHost 0x7f047:$b4: IClientAppHost 0xc283:$b6: AddHostEntry 0xc2f2:$b7: LogClientException 0x75cdb:$b7: LogClientException 0xc267:$b8: PipeExists 0xbed3:$b9: IClientLoggingHost 0x70fb4:$b9: IClientLoggingHost 0x7f034:$b9: IClientLoggingHost
Process Memory Space: KgZEfacljaFey.exe PID: 5196	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1ba6:$x1: NanoCore.ClientPluginHost 0x3121f:$x1: NanoCore.ClientPluginHost 0x36258:$x1: NanoCore.ClientPluginHost 0x1bc0:$x2: IClientNetworkHost 0x31239:$x2: IClientNetworkHost 0x36295:$x2: IClientNetworkHost 0x39d86:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x44e0c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: KgZEfacljaFey.exe PID: 5196	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: KgZEfacljaFey.exe PID: 5196	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1b10:$a: NanoCore 0x1b69:$a: NanoCore 0x1ba6:$a: NanoCore 0x1c1f:$a: NanoCore 0x24d8:$a: NanoCore 0x252b:$a: NanoCore 0x2564:$a: NanoCore 0x25d7:$a: NanoCore 0x9ba9:$a: NanoCore 0x9bbc:$a: NanoCore 0x9bee:$a: NanoCore 0xf3bb:$a: NanoCore 0xf3ce:$a: NanoCore 0xf400:$a: NanoCore 0x1b524:$a: NanoCore 0x1b580:$a: NanoCore 0x1b5f4:$a: NanoCore 0x31189:$a: NanoCore 0x311e2:$a: NanoCore 0x3121f:$a: NanoCore 0x31298:$a: NanoCore
Process Memory Space: KgZEfacljaFey.exe PID: 5196	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1ba6:$a1: NanoCore.ClientPluginHost 0x3121f:$a1: NanoCore.ClientPluginHost 0x36258:$a1: NanoCore.ClientPluginHost 0x1b69:$a2: NanoCore.ClientPlugin 0x311e2:$a2: NanoCore.ClientPlugin 0x36218:$a2: NanoCore.ClientPlugin 0x1f20:$b1: get_BuilderSettings 0x2a452:$b1: get_BuilderSettings 0x3812f:$b1: get_BuilderSettings 0x35fd9:$b2: ClientLoaderForm.resources 0x3784f:$b3: PluginCommand 0x1bf4:$b4: IClientAppHost 0x3126d:$b4: IClientAppHost 0x36249:$b4: IClientAppHost 0x40682:$b5: GetBlockHash 0x1f91:$b6: AddHostEntry 0x31580:$b6: AddHostEntry 0x38787:$b6: AddHostEntry 0x438a6:$b6: AddHostEntry 0x2000:$b7: LogClientException 0x2a3c1:$b7: LogClientException
Click to see the 38 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.2.cRC31pEDkr.exe.5290000.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
10.2.cRC31pEDkr.exe.5290000.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
10.2.cRC31pEDkr.exe.5290000.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
10.2.cRC31pEDkr.exe.5290000.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
14.2.KgZEfacljaFey.exe.3b8ff64.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
14.2.KgZEfacljaFey.exe.3b8ff64.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
14.2.KgZEfacljaFey.exe.3b8ff64.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.KgZEfacljaFey.exe.3b8ff64.3.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
14.2.KgZEfacljaFey.exe.3b8ff64.3.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
10.2.cRC31pEDkr.exe.5a64629.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
10.2.cRC31pEDkr.exe.5a64629.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
10.2.cRC31pEDkr.exe.5a64629.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.2.cRC31pEDkr.exe.5a64629.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0xb165:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin 0xb158:$s1: ClientPlugin 0x10179:$s6: get_ClientSettings
10.2.cRC31pEDkr.exe.5a64629.4.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost
14.2.KgZEfacljaFey.exe.3b8b12e.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d09f:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d0cc:$x2: IClientNetworkHost
14.2.KgZEfacljaFey.exe.3b8b12e.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d09f:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e17a:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d0b9:$s5: IClientLoggingHost
14.2.KgZEfacljaFey.exe.3b8b12e.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.KgZEfacljaFey.exe.3b8b12e.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x145ae:$x2: NanoCore.ClientPlugin 0x2d06a:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x145e3:$x3: NanoCore.ClientPluginHost 0x2d09f:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0x145a2:$i2: IClientData 0x2d05e:$i2: IClientData 0xe29:$i3: IClientNetwork 0x145c4:$i3: IClientNetwork 0x2d080:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0x145d3:$i5: IClientDataHost 0x2d08f:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0x145fd:$i6: IClientLoggingHost 0x2d0b9:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost
14.2.KgZEfacljaFey.exe.3b8b12e.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d055:$a: NanoCore 0x2d06a:$a: NanoCore 0x2d09f:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2ce11:$b: ClientPlugin 0x2ce2c:$b: ClientPlugin
14.2.KgZEfacljaFey.exe.3b8b12e.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0x145e3:$a1: NanoCore.ClientPluginHost 0x2d09f:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x145ae:$a2: NanoCore.ClientPlugin 0x2d06a:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0x19529:$b1: get_BuilderSettings 0x31fe5:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x19498:$b7: LogClientException 0x31f54:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost 0x145fd:$b9: IClientLoggingHost 0x2d0b9:$b9: IClientLoggingHost
14.2.KgZEfacljaFey.exe.3b9458d.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x1: NanoCore.ClientPluginHost 0x23c40:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x23c6d:$x2: IClientNetworkHost
14.2.KgZEfacljaFey.exe.3b9458d.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x2: NanoCore.ClientPluginHost 0x23c40:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x24d1b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x23c5a:$s5: IClientLoggingHost
14.2.KgZEfacljaFey.exe.3b9458d.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.KgZEfacljaFey.exe.3b9458d.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0x23c0b:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0x23c40:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0x23bff:$i2: IClientData 0xb165:$i3: IClientNetwork 0x23c21:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0x23c30:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0x23c5a:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0x23c6d:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0x23c80:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0x23c8e:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0x23caa:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin
14.2.KgZEfacljaFey.exe.3b9458d.4.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0x23c40:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x23c0b:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x28b86:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0x28af5:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost 0x23c5a:$b9: IClientLoggingHost
14.2.KgZEfacljaFey.exe.2ba966c.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
14.2.KgZEfacljaFey.exe.2ba966c.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
14.2.KgZEfacljaFey.exe.2ba966c.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
14.2.KgZEfacljaFey.exe.2ba966c.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
0.2.cRC31pEDkr.exe.439fde0.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.cRC31pEDkr.exe.439fde0.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.cRC31pEDkr.exe.439fde0.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.cRC31pEDkr.exe.439fde0.3.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.cRC31pEDkr.exe.439fde0.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.cRC31pEDkr.exe.439fde0.3.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
10.2.cRC31pEDkr.exe.371b12e.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
10.2.cRC31pEDkr.exe.371b12e.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0xeb0:$s5: IClientLoggingHost
10.2.cRC31pEDkr.exe.371b12e.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xe41:$s1: ClientPlugin
10.2.cRC31pEDkr.exe.371b12e.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0xec3:$b4: IClientAppHost 0xeb0:$b9: IClientLoggingHost
0.2.cRC31pEDkr.exe.43d2800.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.cRC31pEDkr.exe.43d2800.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.cRC31pEDkr.exe.43d2800.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.cRC31pEDkr.exe.43d2800.4.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.cRC31pEDkr.exe.43d2800.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.cRC31pEDkr.exe.43d2800.4.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
14.2.KgZEfacljaFey.exe.3b8ff64.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28269:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x28296:$x2: IClientNetworkHost
14.2.KgZEfacljaFey.exe.3b8ff64.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28269:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29344:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x28283:$s5: IClientLoggingHost
14.2.KgZEfacljaFey.exe.3b8ff64.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.KgZEfacljaFey.exe.3b8ff64.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0x28234:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0x28269:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0x28228:$i2: IClientData 0xf78e:$i3: IClientNetwork 0x2824a:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0x28259:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0x28283:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0x28296:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0x282a9:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0x282b7:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0x282d3:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin
14.2.KgZEfacljaFey.exe.3b8ff64.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0x28269:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x28234:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x2d1af:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0x2d11e:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost 0x28283:$b9: IClientLoggingHost
10.2.cRC31pEDkr.exe.5a60000.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
10.2.cRC31pEDkr.exe.5a60000.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
10.2.cRC31pEDkr.exe.5a60000.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.2.cRC31pEDkr.exe.5a60000.5.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
10.2.cRC31pEDkr.exe.5a60000.5.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
10.2.cRC31pEDkr.exe.5a60000.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
10.2.cRC31pEDkr.exe.5a60000.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
10.2.cRC31pEDkr.exe.5a60000.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.2.cRC31pEDkr.exe.5a60000.5.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
10.2.cRC31pEDkr.exe.5a60000.5.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
14.2.KgZEfacljaFey.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.KgZEfacljaFey.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.2.KgZEfacljaFey.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.KgZEfacljaFey.exe.400000.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
14.2.KgZEfacljaFey.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.2.KgZEfacljaFey.exe.400000.0.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
0.2.cRC31pEDkr.exe.32981e4.0.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.cRC31pEDkr.exe.32981e4.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x10376:$v1: SbieDll.dll 0x10390:$v2: USER 0x1039c:$v3: SANDBOX 0x103ae:$v4: VIRUS 0x103fe:$v4: VIRUS 0x103bc:$v5: MALWARE 0x103ce:$v6: SCHMIDTI 0x103e2:$v7: CURRENTUSER
10.2.cRC31pEDkr.exe.27062c4.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
10.2.cRC31pEDkr.exe.27062c4.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
10.2.cRC31pEDkr.exe.27062c4.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
0.2.cRC31pEDkr.exe.32731c8.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.cRC31pEDkr.exe.32731c8.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x35392:$v1: SbieDll.dll 0x353ac:$v2: USER 0x353b8:$v3: SANDBOX 0x353ca:$v4: VIRUS 0x3541a:$v4: VIRUS 0x353d8:$v5: MALWARE 0x353ea:$v6: SCHMIDTI 0x353fe:$v7: CURRENTUSER
0.2.cRC31pEDkr.exe.43d2800.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x11c43d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x11c47a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x11ffad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.cRC31pEDkr.exe.43d2800.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.cRC31pEDkr.exe.43d2800.4.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.cRC31pEDkr.exe.43d2800.4.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x6478f:$s1: file:/// 0xd2daf:$s1: file:/// 0x6469f:$s2: {11111-22222-10009-11112} 0xd2cbf:$s2: {11111-22222-10009-11112} 0x6471f:$s3: {11111-22222-50001-00000} 0xd2d3f:$s3: {11111-22222-50001-00000} 0x63895:$s4: get_Module 0xd1eb5:$s4: get_Module 0x63c10:$s5: Reverse 0xd2230:$s5: Reverse 0x1af6f:$s6: BlockCopy 0x5f185:$s6: BlockCopy 0xcd7a5:$s6: BlockCopy 0x12721f:$s6: BlockCopy 0x1af66:$s7: ReadByte 0x127216:$s7: ReadByte 0x647a1:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ... 0xd2dc1:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.cRC31pEDkr.exe.43d2800.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x11c1a5:$x1: NanoCore Client 0x11c1b5:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x11c3fd:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x11c43d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x11c3f2:$i1: IClientApp 0x10163:$i2: IClientData 0x11c413:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x11c41f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x11c42e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x11c457:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x11c467:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost
0.2.cRC31pEDkr.exe.43d2800.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x11c1a5:$a: NanoCore 0x11c1b5:$a: NanoCore 0x11c3e9:$a: NanoCore 0x11c3fd:$a: NanoCore 0x11c43d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x11c204:$b: ClientPlugin 0x11c406:$b: ClientPlugin 0x11c446:$b: ClientPlugin 0x1007b:$c: ProjectData 0x5ebdf:$c: ProjectData 0xcd1ff:$c: ProjectData 0x11c32b:$c: ProjectData 0x10a82:$d: DESCrypto
0.2.cRC31pEDkr.exe.43d2800.4.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x11c43d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x11c3fd:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0x11e356:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x11c259:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x11da76:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x11c42e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x1268ae:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x11e9ae:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1226a1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x11e91b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
0.2.cRC31pEDkr.exe.436a5c0.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x459ad:$x1: NanoCore.ClientPluginHost 0x783cd:$x1: NanoCore.ClientPluginHost 0x18467d:$x1: NanoCore.ClientPluginHost 0x459ea:$x2: IClientNetworkHost 0x7840a:$x2: IClientNetworkHost 0x1846ba:$x2: IClientNetworkHost 0x4951d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7bf3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1881ed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.cRC31pEDkr.exe.436a5c0.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.cRC31pEDkr.exe.436a5c0.5.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.cRC31pEDkr.exe.436a5c0.5.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xcc9cf:$s1: file:/// 0x13afef:$s1: file:/// 0xcc8df:$s2: {11111-22222-10009-11112} 0x13aeff:$s2: {11111-22222-10009-11112} 0xcc95f:$s3: {11111-22222-50001-00000} 0x13af7f:$s3: {11111-22222-50001-00000} 0xcbad5:$s4: get_Module 0x13a0f5:$s4: get_Module 0xcbe50:$s5: Reverse 0x13a470:$s5: Reverse 0x5078f:$s6: BlockCopy 0x831af:$s6: BlockCopy 0xc73c5:$s6: BlockCopy 0x1359e5:$s6: BlockCopy 0x18f45f:$s6: BlockCopy 0x50786:$s7: ReadByte 0x831a6:$s7: ReadByte 0x18f456:$s7: ReadByte 0xcc9e1:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ... 0x13b001:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.cRC31pEDkr.exe.436a5c0.5.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x45715:$x1: NanoCore Client 0x45725:$x1: NanoCore Client 0x78135:$x1: NanoCore Client 0x78145:$x1: NanoCore Client 0x1843e5:$x1: NanoCore Client 0x1843f5:$x1: NanoCore Client 0x4596d:$x2: NanoCore.ClientPlugin 0x7838d:$x2: NanoCore.ClientPlugin 0x18463d:$x2: NanoCore.ClientPlugin 0x459ad:$x3: NanoCore.ClientPluginHost 0x783cd:$x3: NanoCore.ClientPluginHost 0x18467d:$x3: NanoCore.ClientPluginHost 0x45962:$i1: IClientApp 0x78382:$i1: IClientApp 0x184632:$i1: IClientApp 0x45983:$i2: IClientData 0x783a3:$i2: IClientData 0x184653:$i2: IClientData 0x4598f:$i3: IClientNetwork 0x783af:$i3: IClientNetwork 0x18465f:$i3: IClientNetwork
0.2.cRC31pEDkr.exe.436a5c0.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x45715:$a: NanoCore 0x45725:$a: NanoCore 0x45959:$a: NanoCore 0x4596d:$a: NanoCore 0x459ad:$a: NanoCore 0x78135:$a: NanoCore 0x78145:$a: NanoCore 0x78379:$a: NanoCore 0x7838d:$a: NanoCore 0x783cd:$a: NanoCore 0x1843e5:$a: NanoCore 0x1843f5:$a: NanoCore 0x184629:$a: NanoCore 0x18463d:$a: NanoCore 0x18467d:$a: NanoCore 0x45774:$b: ClientPlugin 0x45976:$b: ClientPlugin 0x459b6:$b: ClientPlugin 0x78194:$b: ClientPlugin 0x78396:$b: ClientPlugin 0x783d6:$b: ClientPlugin
0.2.cRC31pEDkr.exe.436a5c0.5.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x459ad:$a1: NanoCore.ClientPluginHost 0x783cd:$a1: NanoCore.ClientPluginHost 0x18467d:$a1: NanoCore.ClientPluginHost 0x4596d:$a2: NanoCore.ClientPlugin 0x7838d:$a2: NanoCore.ClientPlugin 0x18463d:$a2: NanoCore.ClientPlugin 0x478c6:$b1: get_BuilderSettings 0x7a2e6:$b1: get_BuilderSettings 0x186596:$b1: get_BuilderSettings 0x457c9:$b2: ClientLoaderForm.resources 0x781e9:$b2: ClientLoaderForm.resources 0x184499:$b2: ClientLoaderForm.resources 0x46fe6:$b3: PluginCommand 0x79a06:$b3: PluginCommand 0x185cb6:$b3: PluginCommand 0x4599e:$b4: IClientAppHost 0x783be:$b4: IClientAppHost 0x18466e:$b4: IClientAppHost 0x4fe1e:$b5: GetBlockHash 0x8283e:$b5: GetBlockHash 0x18eaee:$b5: GetBlockHash
7.2.KgZEfacljaFey.exe.2c93208.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
7.2.KgZEfacljaFey.exe.2c93208.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x35392:$v1: SbieDll.dll 0x353ac:$v2: USER 0x353b8:$v3: SANDBOX 0x353ca:$v4: VIRUS 0x3541a:$v4: VIRUS 0x353d8:$v5: MALWARE 0x353ea:$v6: SCHMIDTI 0x353fe:$v7: CURRENTUSER
7.2.KgZEfacljaFey.exe.2cb8224.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
7.2.KgZEfacljaFey.exe.2cb8224.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x10376:$v1: SbieDll.dll 0x10390:$v2: USER 0x1039c:$v3: SANDBOX 0x103ae:$v4: VIRUS 0x103fe:$v4: VIRUS 0x103bc:$v5: MALWARE 0x103ce:$v6: SCHMIDTI 0x103e2:$v7: CURRENTUSER
0.2.cRC31pEDkr.exe.439fde0.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x14ee5d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x14ee9a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1529cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.cRC31pEDkr.exe.439fde0.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.cRC31pEDkr.exe.439fde0.3.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.cRC31pEDkr.exe.439fde0.3.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x971af:$s1: file:/// 0x1057cf:$s1: file:/// 0x970bf:$s2: {11111-22222-10009-11112} 0x1056df:$s2: {11111-22222-10009-11112} 0x9713f:$s3: {11111-22222-50001-00000} 0x10575f:$s3: {11111-22222-50001-00000} 0x962b5:$s4: get_Module 0x1048d5:$s4: get_Module 0x96630:$s5: Reverse 0x104c50:$s5: Reverse 0x1af6f:$s6: BlockCopy 0x4d98f:$s6: BlockCopy 0x91ba5:$s6: BlockCopy 0x1001c5:$s6: BlockCopy 0x159c3f:$s6: BlockCopy 0x1af66:$s7: ReadByte 0x4d986:$s7: ReadByte 0x159c36:$s7: ReadByte 0x971c1:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ... 0x1057e1:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.cRC31pEDkr.exe.439fde0.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x42915:$x1: NanoCore Client 0x42925:$x1: NanoCore Client 0x14ebc5:$x1: NanoCore Client 0x14ebd5:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x42b6d:$x2: NanoCore.ClientPlugin 0x14ee1d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x42bad:$x3: NanoCore.ClientPluginHost 0x14ee5d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x42b62:$i1: IClientApp 0x14ee12:$i1: IClientApp 0x10163:$i2: IClientData 0x42b83:$i2: IClientData 0x14ee33:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x42b8f:$i3: IClientNetwork 0x14ee3f:$i3: IClientNetwork
0.2.cRC31pEDkr.exe.439fde0.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0x14ebc5:$a: NanoCore 0x14ebd5:$a: NanoCore 0x14ee09:$a: NanoCore 0x14ee1d:$a: NanoCore 0x14ee5d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin
0.2.cRC31pEDkr.exe.439fde0.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x42bad:$a1: NanoCore.ClientPluginHost 0x14ee5d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x42b6d:$a2: NanoCore.ClientPlugin 0x14ee1d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0x44ac6:$b1: get_BuilderSettings 0x150d76:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x429c9:$b2: ClientLoaderForm.resources 0x14ec79:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x441e6:$b3: PluginCommand 0x150496:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x42b9e:$b4: IClientAppHost 0x14ee4e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x4d01e:$b5: GetBlockHash 0x1592ce:$b5: GetBlockHash
Click to see the 93 entries

Sigma Signatures

AV Detection

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\cRC31pEDkr.exe, ProcessId: 1876, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\cRC31pEDkr.exe, ProcessId: 1876, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KgZEfacljaFey" /XML "C:\Users\user\AppData\Local\Temp\tmp5E04.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KgZEfacljaFey" /XML "C:\Users\user\AppData\Local\Temp\tmp5E04.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\cRC31pEDkr.exe, ParentImage: C:\Users\user\Desktop\cRC31pEDkr.exe, ParentProcessId: 4064, ParentProcessName: cRC31pEDkr.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KgZEfacljaFey" /XML "C:\Users\user\AppData\Local\Temp\tmp5E04.tmp, ProcessId: 4724, ProcessName: schtasks.exe

Stealing of Sensitive Information

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\cRC31pEDkr.exe, ProcessId: 1876, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Remote Access Functionality

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\cRC31pEDkr.exe, ProcessId: 1876, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: cRC31pEDkr.exe	ReversingLabs: Detection: 66%
Source: cRC31pEDkr.exe	Virustotal: Detection: 58%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe

ReversingLabs: Detection: 66%

Yara detected Nanocore RAT

Source: Yara match	File source: 14.2.KgZEfacljaFey.exe.3b8ff64.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cRC31pEDkr.exe.5a64629.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.KgZEfacljaFey.exe.3b8b12e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.KgZEfacljaFey.exe.3b9458d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.439fde0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.43d2800.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.KgZEfacljaFey.exe.3b8ff64.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cRC31pEDkr.exe.5a60000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cRC31pEDkr.exe.5a60000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.KgZEfacljaFey.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.43d2800.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.436a5c0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.439fde0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.404051124.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.562803290.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.401166525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.350028595.000000000436A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.403629575.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cRC31pEDkr.exe PID: 4064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cRC31pEDkr.exe PID: 1876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: KgZEfacljaFey.exe PID: 5196, type: MEMORYSTR

Machine Learning detection for sample

Source: cRC31pEDkr.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe

Joe Sandbox ML: detected

Source: 10.2.cRC31pEDkr.exe.5a60000.5.unpack	Avira: Label: TR/NanoCore.fadte
Source: 14.2.KgZEfacljaFey.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: 0000000E.00000002.404051124.0000000003B49000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "e971e6b5-1c8b-4bb4-a1a3-7f94e076", "Group": "Ebube", "Domain1": "elzy.ddns.net", "Domain2": "127.0.0.1", "Port": 2000, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Source: cRC31pEDkr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: cRC31pEDkr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: elzy.ddns.net
Source: Malware configuration extractor	URLs: 127.0.0.1

Uses dynamic DNS services

Source: unknown

DNS query: name: elzy.ddns.net

Source: Joe Sandbox View

ASN Name: DANILENKODE DANILENKODE

Source: global traffic

TCP traffic: 192.168.2.5:49701 -> 194.5.98.22:2000

Source: cRC31pEDkr.exe, 00000000.00000003.297044710.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296998530.00000000061B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://en.w
Source: cRC31pEDkr.exe, 00000000.00000003.296795116.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296850779.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296828770.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296726022.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: cRC31pEDkr.exe, 00000000.00000003.296893411.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296871633.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296944042.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296795116.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296850779.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296915043.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296828770.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296755309.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296778637.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com(
Source: cRC31pEDkr.exe, 00000000.00000003.296795116.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296778637.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.comV
Source: cRC31pEDkr.exe, 00000000.00000002.345847320.0000000003251000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000002.345847320.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, KgZEfacljaFey.exe, 00000007.00000002.388126518.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, KgZEfacljaFey.exe, 00000007.00000002.388126518.0000000002EED000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 0000000A.00000002.562803290.00000000026D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: cRC31pEDkr.exe, 00000000.00000003.312291594.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.312434363.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.agfamonotype.:
Source: cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299194871.00000000061AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: cRC31pEDkr.exe, 00000000.00000003.301785059.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301845055.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301752812.00000000061B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: cRC31pEDkr.exe, 00000000.00000003.299661403.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299622371.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299398041.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300300850.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299487627.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300199248.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299442136.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299700076.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299806283.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299958934.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300143320.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299958934.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com.
Source: cRC31pEDkr.exe, 00000000.00000003.299661403.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299622371.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299398041.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299487627.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299442136.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299700076.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299806283.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com/
Source: cRC31pEDkr.exe, 00000000.00000003.300143320.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comTC
Source: cRC31pEDkr.exe, 00000000.00000003.300199248.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300143320.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comTCO
Source: cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299700076.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299806283.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299958934.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comUI
Source: cRC31pEDkr.exe, 00000000.00000003.300199248.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299806283.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299958934.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300143320.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comX
Source: cRC31pEDkr.exe, 00000000.00000003.299661403.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299622371.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299487627.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299700076.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299806283.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299958934.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comgU
Source: cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299958934.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comiE
Source: cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299958934.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.como.
Source: cRC31pEDkr.exe, 00000000.00000003.299661403.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299622371.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300300850.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299487627.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300199248.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299442136.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299700076.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299806283.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299958934.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300143320.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.como.T
Source: cRC31pEDkr.exe, 00000000.00000003.300199248.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300143320.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comorm
Source: cRC31pEDkr.exe, 00000000.00000003.306651559.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306012535.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306765652.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304421291.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306221985.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304353505.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304556150.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305962193.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305830017.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306335557.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306899940.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305910322.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306141858.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304597500.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306566595.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304305637.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304506350.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306708081.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306063064.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: cRC31pEDkr.exe, 00000000.00000003.304695105.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304762717.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: cRC31pEDkr.exe, 00000000.00000003.304305637.00000000061BB000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304305637.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: cRC31pEDkr.exe, 00000000.00000003.305229705.00000000061C3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305432351.00000000061C3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305570163.00000000061C3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305615259.00000000061C3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305068245.00000000061C4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305000246.00000000061C3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305285674.00000000061C3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305526668.00000000061C3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305173293.00000000061C3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305483804.00000000061C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmld.
Source: cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: cRC31pEDkr.exe, 00000000.00000003.304353505.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersL
Source: cRC31pEDkr.exe, 00000000.00000003.304353505.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersn
Source: cRC31pEDkr.exe, 00000000.00000003.304597500.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersx
Source: cRC31pEDkr.exe, 00000000.00000003.306651559.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305285674.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306012535.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305615259.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306765652.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305740219.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306221985.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305962193.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305830017.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306335557.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305783137.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305570163.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305229705.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305910322.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306141858.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305173293.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306566595.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305068245.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306708081.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305432351.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305703104.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com9
Source: cRC31pEDkr.exe, 00000000.00000003.305285674.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305000246.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305229705.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305173293.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305068245.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305432351.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305526668.00000000061B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com=
Source: cRC31pEDkr.exe, 00000000.00000003.304814982.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306651559.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305285674.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306012535.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305615259.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306765652.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305740219.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305000246.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306221985.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305962193.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305830017.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306335557.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305783137.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305570163.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305229705.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306899940.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305910322.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306141858.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304911562.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305173293.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306566595.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: cRC31pEDkr.exe, 00000000.00000003.313368578.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313245718.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.312989584.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313086465.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313567844.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313446406.00000000061AF000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000002.355271792.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comF:
Source: cRC31pEDkr.exe, 00000000.00000003.306141858.00000000061B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comFB
Source: cRC31pEDkr.exe, 00000000.00000003.306651559.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306012535.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306765652.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305740219.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306221985.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305962193.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305830017.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306335557.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305783137.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305910322.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306141858.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306566595.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306708081.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306063064.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comI.TTF
Source: cRC31pEDkr.exe, 00000000.00000003.305962193.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305910322.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comalicB
Source: cRC31pEDkr.exe, 00000000.00000003.305830017.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305910322.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comals
Source: cRC31pEDkr.exe, 00000000.00000003.306651559.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306765652.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306221985.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306335557.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306899940.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306566595.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306708081.00000000061B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comcomFB
Source: cRC31pEDkr.exe, 00000000.00000003.305285674.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305615259.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305740219.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305570163.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305229705.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305173293.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305068245.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305432351.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305703104.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305526668.00000000061B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comcomd
Source: cRC31pEDkr.exe, 00000000.00000003.304814982.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305285674.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305615259.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305740219.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305000246.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304556150.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305570163.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305229705.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304597500.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304911562.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305173293.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305068245.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304695105.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304762717.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305432351.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305703104.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305526668.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304864258.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comd
Source: cRC31pEDkr.exe, 00000000.00000003.304814982.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305285674.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305000246.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305229705.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304911562.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305173293.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305068245.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304695105.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304762717.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305432351.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305526668.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304864258.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comdfet
Source: cRC31pEDkr.exe, 00000000.00000003.313368578.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313245718.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313086465.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313567844.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313446406.00000000061AF000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000002.355271792.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.come.com
Source: cRC31pEDkr.exe, 00000000.00000003.313368578.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313245718.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.312989584.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313086465.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313567844.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313446406.00000000061AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comgreta
Source: cRC31pEDkr.exe, 00000000.00000003.306651559.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306765652.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306221985.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306335557.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.307034097.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306899940.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.307202697.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306566595.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.307122475.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306708081.00000000061B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comk:
Source: cRC31pEDkr.exe, 00000000.00000003.304353505.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comonyo
Source: cRC31pEDkr.exe, 00000000.00000003.306651559.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306765652.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306221985.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306335557.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306141858.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306566595.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306708081.00000000061B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comsivdo
Source: cRC31pEDkr.exe, 00000000.00000003.304305637.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comsivr
Source: cRC31pEDkr.exe, 00000000.00000003.304814982.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305285674.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305615259.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305000246.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305570163.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305229705.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304597500.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304911562.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305173293.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305068245.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304695105.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304762717.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305432351.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305703104.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305526668.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304864258.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comtur
Source: cRC31pEDkr.exe, 00000000.00000003.313368578.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313245718.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313086465.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313446406.00000000061AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comuB
Source: cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: cRC31pEDkr.exe, 00000000.00000003.298437658.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298515941.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298663743.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298492392.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: cRC31pEDkr.exe, 00000000.00000003.298728068.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299661403.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299274112.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299622371.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299398041.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300300850.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298967599.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298859286.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299487627.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298515941.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300199248.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299442136.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299115455.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299194871.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299700076.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299806283.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299958934.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298663743.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298929001.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn%
Source: cRC31pEDkr.exe, 00000000.00000003.298215222.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298249561.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298663743.00000000061B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: cRC31pEDkr.exe, 00000000.00000003.298728068.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299661403.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299274112.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299622371.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299398041.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300300850.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298967599.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298859286.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299487627.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298515941.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300199248.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299442136.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299115455.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299194871.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299700076.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299806283.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299958934.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298663743.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298929001.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/H
Source: cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: cRC31pEDkr.exe, 00000000.00000003.298728068.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298967599.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298859286.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298663743.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298929001.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/pa
Source: cRC31pEDkr.exe, 00000000.00000003.298728068.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298967599.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298859286.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298515941.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299115455.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298663743.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298929001.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnalg
Source: cRC31pEDkr.exe, 00000000.00000003.298437658.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298492392.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnp
Source: cRC31pEDkr.exe, 00000000.00000003.308327351.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.308403894.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.308132703.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.308242645.00000000061B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: cRC31pEDkr.exe, 00000000.00000003.308132703.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/q
Source: cRC31pEDkr.exe, 00000000.00000003.308242645.00000000061B1000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.309287347.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.309054521.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: cRC31pEDkr.exe, 00000000.00000003.301430204.00000000061AF000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301752812.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301721227.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301955327.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302344077.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302191536.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: cRC31pEDkr.exe, 00000000.00000003.301490267.00000000061B0000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301430204.00000000061AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/B
Source: cRC31pEDkr.exe, 00000000.00000003.301234096.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301785059.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301578884.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302112307.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301845055.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301752812.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301721227.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301955327.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302191536.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/K
Source: cRC31pEDkr.exe, 00000000.00000003.301578884.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301490267.00000000061B0000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301430204.00000000061AF000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301752812.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301721227.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0;
Source: cRC31pEDkr.exe, 00000000.00000003.301234096.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0MSB
Source: cRC31pEDkr.exe, 00000000.00000003.302191536.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: cRC31pEDkr.exe, 00000000.00000003.301785059.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301578884.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302112307.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301845055.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301752812.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301721227.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301955327.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302191536.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/B
Source: cRC31pEDkr.exe, 00000000.00000003.301490267.00000000061B0000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301430204.00000000061AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/K
Source: cRC31pEDkr.exe, 00000000.00000003.304174210.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304255888.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302711504.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302453010.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.303976325.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301785059.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.303455893.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302393161.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302254936.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.303356467.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304105124.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301578884.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302112307.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302841481.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301490267.00000000061B0000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302937899.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301845055.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.303747330.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302501034.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302640559.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.303072404.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Y
Source: cRC31pEDkr.exe, 00000000.00000003.301785059.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301578884.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302112307.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301845055.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301752812.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301721227.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301955327.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302191536.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/o
Source: cRC31pEDkr.exe, 00000000.00000003.302453010.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301785059.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302393161.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302254936.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301578884.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302112307.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301490267.00000000061B0000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301845055.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302501034.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301752812.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301721227.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301955327.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302344077.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302191536.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/s_tr
Source: cRC31pEDkr.exe, 00000000.00000003.301578884.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301490267.00000000061B0000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301430204.00000000061AF000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301752812.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301721227.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/t
Source: cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.295924683.0000000006192000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: cRC31pEDkr.exe, 00000000.00000003.295924683.0000000006192000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com.I
Source: cRC31pEDkr.exe, 00000000.00000003.295924683.0000000006192000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.comb-n
Source: cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: cRC31pEDkr.exe, 00000000.00000003.298180772.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298129567.00000000061AF000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298291425.00000000061B0000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298215222.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298249561.00000000061B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: cRC31pEDkr.exe, 00000000.00000003.298180772.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298215222.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.krUN.TTFq
Source: cRC31pEDkr.exe, 00000000.00000003.298180772.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298129567.00000000061AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.krs-c
Source: cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298929001.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299081793.000000000187C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: cRC31pEDkr.exe, 00000000.00000003.299081793.000000000187C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com(T
Source: cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: cRC31pEDkr.exe, 00000000.00000003.299274112.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299398041.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299487627.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299442136.00000000061B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: cRC31pEDkr.exe, 00000000.00000003.299274112.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn%I
Source: cRC31pEDkr.exe, 00000000.00000003.299661403.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299274112.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299622371.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299398041.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299487627.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299442136.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299700076.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299806283.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299958934.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnF
Source: cRC31pEDkr.exe, 00000000.00000003.299661403.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299274112.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299622371.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299398041.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299487627.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299442136.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299700076.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299806283.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnai

Source: unknown

DNS traffic detected: queries for: elzy.ddns.net

Source: cRC31pEDkr.exe, 0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 14.2.KgZEfacljaFey.exe.3b8ff64.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cRC31pEDkr.exe.5a64629.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.KgZEfacljaFey.exe.3b8b12e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.KgZEfacljaFey.exe.3b9458d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.439fde0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.43d2800.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.KgZEfacljaFey.exe.3b8ff64.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cRC31pEDkr.exe.5a60000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cRC31pEDkr.exe.5a60000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.KgZEfacljaFey.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.43d2800.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.436a5c0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.439fde0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.404051124.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.562803290.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.401166525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.350028595.000000000436A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.403629575.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cRC31pEDkr.exe PID: 4064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cRC31pEDkr.exe PID: 1876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: KgZEfacljaFey.exe PID: 5196, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.2.cRC31pEDkr.exe.5290000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 10.2.cRC31pEDkr.exe.5290000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 10.2.cRC31pEDkr.exe.5290000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 14.2.KgZEfacljaFey.exe.3b8ff64.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 14.2.KgZEfacljaFey.exe.3b8ff64.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.KgZEfacljaFey.exe.3b8ff64.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 10.2.cRC31pEDkr.exe.5a64629.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 10.2.cRC31pEDkr.exe.5a64629.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 10.2.cRC31pEDkr.exe.5a64629.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 14.2.KgZEfacljaFey.exe.3b8b12e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 14.2.KgZEfacljaFey.exe.3b8b12e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.KgZEfacljaFey.exe.3b8b12e.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.KgZEfacljaFey.exe.3b8b12e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 14.2.KgZEfacljaFey.exe.3b9458d.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 14.2.KgZEfacljaFey.exe.3b9458d.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.KgZEfacljaFey.exe.3b9458d.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 14.2.KgZEfacljaFey.exe.2ba966c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 14.2.KgZEfacljaFey.exe.2ba966c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.KgZEfacljaFey.exe.2ba966c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.cRC31pEDkr.exe.439fde0.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.cRC31pEDkr.exe.439fde0.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.cRC31pEDkr.exe.439fde0.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.cRC31pEDkr.exe.439fde0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 10.2.cRC31pEDkr.exe.371b12e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 10.2.cRC31pEDkr.exe.371b12e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 10.2.cRC31pEDkr.exe.371b12e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.cRC31pEDkr.exe.43d2800.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.cRC31pEDkr.exe.43d2800.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.cRC31pEDkr.exe.43d2800.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.cRC31pEDkr.exe.43d2800.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 14.2.KgZEfacljaFey.exe.3b8ff64.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 14.2.KgZEfacljaFey.exe.3b8ff64.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.KgZEfacljaFey.exe.3b8ff64.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 10.2.cRC31pEDkr.exe.5a60000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 10.2.cRC31pEDkr.exe.5a60000.5.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 10.2.cRC31pEDkr.exe.5a60000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 10.2.cRC31pEDkr.exe.5a60000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 10.2.cRC31pEDkr.exe.5a60000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 10.2.cRC31pEDkr.exe.5a60000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 14.2.KgZEfacljaFey.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 14.2.KgZEfacljaFey.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.KgZEfacljaFey.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.KgZEfacljaFey.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.cRC31pEDkr.exe.32981e4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 10.2.cRC31pEDkr.exe.27062c4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 10.2.cRC31pEDkr.exe.27062c4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 10.2.cRC31pEDkr.exe.27062c4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.cRC31pEDkr.exe.32731c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.cRC31pEDkr.exe.43d2800.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.cRC31pEDkr.exe.43d2800.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.cRC31pEDkr.exe.43d2800.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.cRC31pEDkr.exe.43d2800.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.cRC31pEDkr.exe.43d2800.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.cRC31pEDkr.exe.436a5c0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.cRC31pEDkr.exe.436a5c0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.cRC31pEDkr.exe.436a5c0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.cRC31pEDkr.exe.436a5c0.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.cRC31pEDkr.exe.436a5c0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.2.KgZEfacljaFey.exe.2c93208.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 7.2.KgZEfacljaFey.exe.2cb8224.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.cRC31pEDkr.exe.439fde0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.cRC31pEDkr.exe.439fde0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.cRC31pEDkr.exe.439fde0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.cRC31pEDkr.exe.439fde0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.cRC31pEDkr.exe.439fde0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000E.00000002.404051124.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.404051124.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000A.00000002.562803290.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000A.00000002.567364411.0000000005290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000A.00000002.567364411.0000000005290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000A.00000002.567364411.0000000005290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000E.00000002.401166525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000E.00000002.401166525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.401166525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.350028595.000000000436A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000000.00000002.350028595.000000000436A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.350028595.000000000436A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000A.00000002.566234207.000000000371B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000E.00000002.403629575.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.403629575.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: cRC31pEDkr.exe PID: 4064, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: cRC31pEDkr.exe PID: 4064, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: cRC31pEDkr.exe PID: 4064, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: cRC31pEDkr.exe PID: 1876, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: cRC31pEDkr.exe PID: 1876, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: KgZEfacljaFey.exe PID: 5196, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: KgZEfacljaFey.exe PID: 5196, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: KgZEfacljaFey.exe PID: 5196, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown

Source: cRC31pEDkr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 10.2.cRC31pEDkr.exe.5290000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.cRC31pEDkr.exe.5290000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.cRC31pEDkr.exe.5290000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 10.2.cRC31pEDkr.exe.5290000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 14.2.KgZEfacljaFey.exe.3b8ff64.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.KgZEfacljaFey.exe.3b8ff64.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.KgZEfacljaFey.exe.3b8ff64.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.KgZEfacljaFey.exe.3b8ff64.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 10.2.cRC31pEDkr.exe.5a64629.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.cRC31pEDkr.exe.5a64629.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.cRC31pEDkr.exe.5a64629.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 10.2.cRC31pEDkr.exe.5a64629.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 14.2.KgZEfacljaFey.exe.3b8b12e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.KgZEfacljaFey.exe.3b8b12e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.KgZEfacljaFey.exe.3b8b12e.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.KgZEfacljaFey.exe.3b8b12e.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.KgZEfacljaFey.exe.3b8b12e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 14.2.KgZEfacljaFey.exe.3b9458d.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.KgZEfacljaFey.exe.3b9458d.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.KgZEfacljaFey.exe.3b9458d.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.KgZEfacljaFey.exe.3b9458d.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 14.2.KgZEfacljaFey.exe.2ba966c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.KgZEfacljaFey.exe.2ba966c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.KgZEfacljaFey.exe.2ba966c.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.KgZEfacljaFey.exe.2ba966c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.cRC31pEDkr.exe.439fde0.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.cRC31pEDkr.exe.439fde0.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.cRC31pEDkr.exe.439fde0.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.cRC31pEDkr.exe.439fde0.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.cRC31pEDkr.exe.439fde0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 10.2.cRC31pEDkr.exe.371b12e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.cRC31pEDkr.exe.371b12e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.cRC31pEDkr.exe.371b12e.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 10.2.cRC31pEDkr.exe.371b12e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.cRC31pEDkr.exe.43d2800.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.cRC31pEDkr.exe.43d2800.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.cRC31pEDkr.exe.43d2800.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.cRC31pEDkr.exe.43d2800.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.cRC31pEDkr.exe.43d2800.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 14.2.KgZEfacljaFey.exe.3b8ff64.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.KgZEfacljaFey.exe.3b8ff64.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.KgZEfacljaFey.exe.3b8ff64.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.KgZEfacljaFey.exe.3b8ff64.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 10.2.cRC31pEDkr.exe.5a60000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.cRC31pEDkr.exe.5a60000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.cRC31pEDkr.exe.5a60000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 10.2.cRC31pEDkr.exe.5a60000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 10.2.cRC31pEDkr.exe.5a60000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.cRC31pEDkr.exe.5a60000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.cRC31pEDkr.exe.5a60000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 10.2.cRC31pEDkr.exe.5a60000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 14.2.KgZEfacljaFey.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.KgZEfacljaFey.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.KgZEfacljaFey.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.KgZEfacljaFey.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.KgZEfacljaFey.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.cRC31pEDkr.exe.32981e4.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 10.2.cRC31pEDkr.exe.27062c4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.cRC31pEDkr.exe.27062c4.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 10.2.cRC31pEDkr.exe.27062c4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.cRC31pEDkr.exe.32731c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.cRC31pEDkr.exe.43d2800.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.cRC31pEDkr.exe.43d2800.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.cRC31pEDkr.exe.43d2800.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.cRC31pEDkr.exe.43d2800.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.cRC31pEDkr.exe.43d2800.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.cRC31pEDkr.exe.436a5c0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.cRC31pEDkr.exe.436a5c0.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.cRC31pEDkr.exe.436a5c0.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.cRC31pEDkr.exe.436a5c0.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.cRC31pEDkr.exe.436a5c0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.2.KgZEfacljaFey.exe.2c93208.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 7.2.KgZEfacljaFey.exe.2cb8224.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.cRC31pEDkr.exe.439fde0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.cRC31pEDkr.exe.439fde0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.cRC31pEDkr.exe.439fde0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.cRC31pEDkr.exe.439fde0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.cRC31pEDkr.exe.439fde0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000E.00000002.404051124.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.404051124.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000A.00000002.562803290.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000A.00000002.567364411.0000000005290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000A.00000002.567364411.0000000005290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000A.00000002.567364411.0000000005290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000A.00000002.567364411.0000000005290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000E.00000002.401166525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000E.00000002.401166525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.401166525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.350028595.000000000436A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.350028595.000000000436A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.350028595.000000000436A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000A.00000002.566234207.000000000371B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000E.00000002.403629575.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.403629575.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: cRC31pEDkr.exe PID: 4064, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: cRC31pEDkr.exe PID: 4064, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: cRC31pEDkr.exe PID: 4064, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: cRC31pEDkr.exe PID: 1876, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: cRC31pEDkr.exe PID: 1876, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: KgZEfacljaFey.exe PID: 5196, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: KgZEfacljaFey.exe PID: 5196, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: KgZEfacljaFey.exe PID: 5196, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 0_2_030CC77C
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 0_2_030CE823
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 0_2_030CE830
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 0_2_07BF0006
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 0_2_07BF0040
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 0_2_07ED0040
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 0_2_07ED0006
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Code function: 7_2_0127C77C
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Code function: 7_2_0127E822
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Code function: 7_2_0127E830
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Code function: 7_2_052A4BE8
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Code function: 7_2_052A4BD8
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CBE480
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CBE473
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CBBBD4
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04D9F5F8
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04D9A610
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04D99788

Source: cRC31pEDkr.exe, 00000000.00000003.336610706.000000000879D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamempfA.exe: vs cRC31pEDkr.exe
Source: cRC31pEDkr.exe, 00000000.00000000.293953891.0000000000E62000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamempfA.exe: vs cRC31pEDkr.exe
Source: cRC31pEDkr.exe, 00000000.00000002.357794140.0000000007A80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs cRC31pEDkr.exe
Source: cRC31pEDkr.exe, 00000000.00000002.345847320.0000000003251000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTigra.dll. vs cRC31pEDkr.exe
Source: cRC31pEDkr.exe, 00000000.00000002.350028595.000000000436A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs cRC31pEDkr.exe
Source: cRC31pEDkr.exe, 0000000A.00000002.562803290.00000000026D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs cRC31pEDkr.exe
Source: cRC31pEDkr.exe, 0000000A.00000002.566234207.0000000003751000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs cRC31pEDkr.exe
Source: cRC31pEDkr.exe, 0000000A.00000002.566234207.0000000003738000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs cRC31pEDkr.exe
Source: cRC31pEDkr.exe, 0000000A.00000002.567804764.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs cRC31pEDkr.exe
Source: cRC31pEDkr.exe, 0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs cRC31pEDkr.exe
Source: cRC31pEDkr.exe, 0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs cRC31pEDkr.exe
Source: cRC31pEDkr.exe	Binary or memory string: OriginalFilenamempfA.exe: vs cRC31pEDkr.exe

Source: cRC31pEDkr.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: KgZEfacljaFey.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: cRC31pEDkr.exe	ReversingLabs: Detection: 66%
Source: cRC31pEDkr.exe	Virustotal: Detection: 58%

Source: C:\Users\user\Desktop\cRC31pEDkr.exe

File read: C:\Users\user\Desktop\cRC31pEDkr.exe

Jump to behavior

Source: cRC31pEDkr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\cRC31pEDkr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\cRC31pEDkr.exe C:\Users\user\Desktop\cRC31pEDkr.exe
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\cRC31pEDkr.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KgZEfacljaFey" /XML "C:\Users\user\AppData\Local\Temp\tmp5E04.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process created: C:\Users\user\Desktop\cRC31pEDkr.exe C:\Users\user\Desktop\cRC31pEDkr.exe
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process created: C:\Users\user\Desktop\cRC31pEDkr.exe C:\Users\user\Desktop\cRC31pEDkr.exe
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process created: C:\Users\user\Desktop\cRC31pEDkr.exe C:\Users\user\Desktop\cRC31pEDkr.exe
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KgZEfacljaFey" /XML "C:\Users\user\AppData\Local\Temp\tmpAD4D.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process created: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\cRC31pEDkr.exe
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KgZEfacljaFey" /XML "C:\Users\user\AppData\Local\Temp\tmp5E04.tmp
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process created: C:\Users\user\Desktop\cRC31pEDkr.exe C:\Users\user\Desktop\cRC31pEDkr.exe
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process created: C:\Users\user\Desktop\cRC31pEDkr.exe C:\Users\user\Desktop\cRC31pEDkr.exe
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process created: C:\Users\user\Desktop\cRC31pEDkr.exe C:\Users\user\Desktop\cRC31pEDkr.exe
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KgZEfacljaFey" /XML "C:\Users\user\AppData\Local\Temp\tmpAD4D.tmp
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process created: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe

Source: C:\Users\user\Desktop\cRC31pEDkr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: C:\Users\user\Desktop\cRC31pEDkr.exe

File created: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe

Jump to behavior

Source: C:\Users\user\Desktop\cRC31pEDkr.exe

File created: C:\Users\user\AppData\Local\Temp\tmp5E04.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@22/12@10/2

Source: C:\Users\user\Desktop\cRC31pEDkr.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: cRC31pEDkr.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2056:120:WilError_01
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{e971e6b5-1c8b-4bb4-a1a3-7f94e07616a6}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4592:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4580:120:WilError_01
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Mutant created: \Sessions\1\BaseNamedObjects\RtIYcrDD
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4476:120:WilError_01

Source: 14.2.KgZEfacljaFey.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 14.2.KgZEfacljaFey.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 14.2.KgZEfacljaFey.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\cRC31pEDkr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: cRC31pEDkr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: cRC31pEDkr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: cRC31pEDkr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation

.NET source code contains potential unpacker

Source: cRC31pEDkr.exe, Snake/Form1.cs	.Net Code: InitializeComponent System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: KgZEfacljaFey.exe.0.dr, Snake/Form1.cs	.Net Code: InitializeComponent System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.cRC31pEDkr.exe.e60000.0.unpack, Snake/Form1.cs	.Net Code: InitializeComponent System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.KgZEfacljaFey.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.KgZEfacljaFey.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 0_2_030CD838 pushad ; iretd
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 0_2_030CD83B push esp; iretd
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 0_2_07BF3602 push edi; retf
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Code function: 7_2_0127CF52 push 8402B5CBh; retf
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Code function: 7_2_0127D83A push esp; iretd
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Code function: 7_2_0127D838 pushad ; iretd
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Code function: 7_2_052A624F push eax; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CBE0F0 push edx; iretd
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CBE471 push ebx; iretd
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CBE0D8 push ecx; iretd
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CBE0E3 push ecx; iretd
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CBE0E7 push ecx; iretd
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CBE349 push edx; iretd
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CBE36F push edx; iretd
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CBE373 push edx; iretd
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CBEDEF push edi; iretd
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CBEDF3 push edi; iretd
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CBEDF7 push edi; iretd
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CBED89 push esi; iretd
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CBEDB9 push esi; iretd
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CB8A61 push ss; iretd
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CB8A70 push ss; iretd
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CB96C7 push ds; iretd
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CB9660 push ds; iretd
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CBF798 pushad ; iretd
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CB93D9 push ds; iretd
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CB7A80 push cs; iretd
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04CB7A71 push cs; iretd
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04D90027 push 683C04CFh; iretd
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Code function: 10_2_04D969F8 pushad ; retf

Source: cRC31pEDkr.exe

Static PE information: 0xF2C4F3B5 [Sun Jan 25 03:08:37 2099 UTC]

Source: initial sample	Static PE information: section name: .text entropy: 7.818047676595979
Source: initial sample	Static PE information: section name: .text entropy: 7.818047676595979

Source: 14.2.KgZEfacljaFey.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 14.2.KgZEfacljaFey.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\cRC31pEDkr.exe

File created: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\cRC31pEDkr.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KgZEfacljaFey" /XML "C:\Users\user\AppData\Local\Temp\tmp5E04.tmp

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\cRC31pEDkr.exe

File opened: C:\Users\user\Desktop\cRC31pEDkr.exe:Zone.Identifier read attributes | delete

Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 0.2.cRC31pEDkr.exe.32981e4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.32731c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.KgZEfacljaFey.exe.2c93208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.KgZEfacljaFey.exe.2cb8224.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.388126518.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.388126518.0000000002EED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.345847320.0000000003251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.345847320.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cRC31pEDkr.exe PID: 4064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: KgZEfacljaFey.exe PID: 6040, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: cRC31pEDkr.exe, 00000000.00000002.345847320.0000000003251000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000002.345847320.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, KgZEfacljaFey.exe, 00000007.00000002.388126518.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, KgZEfacljaFey.exe, 00000007.00000002.388126518.0000000002EED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: cRC31pEDkr.exe, 00000000.00000002.345847320.0000000003251000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000002.345847320.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, KgZEfacljaFey.exe, 00000007.00000002.388126518.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, KgZEfacljaFey.exe, 00000007.00000002.388126518.0000000002EED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\cRC31pEDkr.exe TID: 5236	Thread sleep time: -37665s >= -30000s
Source: C:\Users\user\Desktop\cRC31pEDkr.exe TID: 3924	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3584	Thread sleep time: -11068046444225724s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2848	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe TID: 6064	Thread sleep time: -37665s >= -30000s
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe TID: 1728	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\cRC31pEDkr.exe TID: 3124	Thread sleep time: -13835058055282155s >= -30000s
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe TID: 860	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9305
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9086
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Window / User API: threadDelayed 9713
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Window / User API: foregroundWindowGot 853

Source: C:\Users\user\Desktop\cRC31pEDkr.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Thread delayed: delay time: 37665
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Thread delayed: delay time: 37665
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Thread delayed: delay time: 922337203685477

Source: KgZEfacljaFey.exe, 00000007.00000002.388126518.0000000002EED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: KgZEfacljaFey.exe, 00000007.00000002.388126518.0000000002EED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: cRC31pEDkr.exe, 0000000A.00000002.561292320.0000000000C80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
Source: KgZEfacljaFey.exe, 00000007.00000002.388126518.0000000002EED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: KgZEfacljaFey.exe, 00000007.00000002.388126518.0000000002EED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\cRC31pEDkr.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Memory written: C:\Users\user\Desktop\cRC31pEDkr.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Memory written: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe base: 400000 value starts with: 4D5A

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\cRC31pEDkr.exe
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\cRC31pEDkr.exe
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe

Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\cRC31pEDkr.exe
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KgZEfacljaFey" /XML "C:\Users\user\AppData\Local\Temp\tmp5E04.tmp
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process created: C:\Users\user\Desktop\cRC31pEDkr.exe C:\Users\user\Desktop\cRC31pEDkr.exe
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process created: C:\Users\user\Desktop\cRC31pEDkr.exe C:\Users\user\Desktop\cRC31pEDkr.exe
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Process created: C:\Users\user\Desktop\cRC31pEDkr.exe C:\Users\user\Desktop\cRC31pEDkr.exe
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KgZEfacljaFey" /XML "C:\Users\user\AppData\Local\Temp\tmpAD4D.tmp
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Process created: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe

Source: cRC31pEDkr.exe, 0000000A.00000002.562803290.0000000002958000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@ %Gp@
Source: cRC31pEDkr.exe, 0000000A.00000002.562803290.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 0000000A.00000002.562803290.00000000029EE000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 0000000A.00000002.562803290.0000000002A5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: cRC31pEDkr.exe, 0000000A.00000002.562803290.0000000002A5E000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 0000000A.00000002.562803290.00000000029F0000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 0000000A.00000002.562803290.0000000002B2A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerp

Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Users\user\Desktop\cRC31pEDkr.exe VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Queries volume information: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Users\user\Desktop\cRC31pEDkr.exe VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\cRC31pEDkr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Queries volume information: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\cRC31pEDkr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected zgRAT

Source: Yara match	File source: 0.2.cRC31pEDkr.exe.43d2800.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.436a5c0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.439fde0.3.raw.unpack, type: UNPACKEDPE

Yara detected Nanocore RAT

Source: Yara match	File source: 14.2.KgZEfacljaFey.exe.3b8ff64.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cRC31pEDkr.exe.5a64629.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.KgZEfacljaFey.exe.3b8b12e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.KgZEfacljaFey.exe.3b9458d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.439fde0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.43d2800.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.KgZEfacljaFey.exe.3b8ff64.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cRC31pEDkr.exe.5a60000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cRC31pEDkr.exe.5a60000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.KgZEfacljaFey.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.43d2800.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.436a5c0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.439fde0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.404051124.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.562803290.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.401166525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.350028595.000000000436A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.403629575.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cRC31pEDkr.exe PID: 4064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cRC31pEDkr.exe PID: 1876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: KgZEfacljaFey.exe PID: 5196, type: MEMORYSTR

Remote Access Functionality

Yara detected zgRAT

Source: Yara match	File source: 0.2.cRC31pEDkr.exe.43d2800.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.436a5c0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.439fde0.3.raw.unpack, type: UNPACKEDPE

Detected Nanocore Rat

Source: cRC31pEDkr.exe, 00000000.00000002.350028595.000000000436A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: cRC31pEDkr.exe, 0000000A.00000002.562803290.00000000026D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: cRC31pEDkr.exe, 0000000A.00000002.562803290.00000000026D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: cRC31pEDkr.exe, 0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: cRC31pEDkr.exe, 0000000A.00000002.566234207.000000000371B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: cRC31pEDkr.exe, 0000000A.00000002.566234207.000000000371B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHost
Source: KgZEfacljaFey.exe, 0000000E.00000002.404051124.0000000003B49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: KgZEfacljaFey.exe, 0000000E.00000002.404051124.0000000003B49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: KgZEfacljaFey.exe, 0000000E.00000002.403629575.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: KgZEfacljaFey.exe, 0000000E.00000002.403629575.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: KgZEfacljaFey.exe, 0000000E.00000002.401166525.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Source: Yara match	File source: 14.2.KgZEfacljaFey.exe.3b8ff64.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cRC31pEDkr.exe.5a64629.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.KgZEfacljaFey.exe.3b8b12e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.KgZEfacljaFey.exe.3b9458d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.439fde0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.43d2800.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.KgZEfacljaFey.exe.3b8ff64.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cRC31pEDkr.exe.5a60000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cRC31pEDkr.exe.5a60000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.KgZEfacljaFey.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.43d2800.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.436a5c0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cRC31pEDkr.exe.439fde0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.404051124.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.562803290.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.401166525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.350028595.000000000436A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.403629575.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cRC31pEDkr.exe PID: 4064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cRC31pEDkr.exe PID: 1876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: KgZEfacljaFey.exe PID: 5196, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	112 Process Injection	1 Masquerading	11 Input Capture	21 Security Software Discovery	Remote Services	11 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Remote Access Software	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	112 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	21 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Hidden Files and Directories	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	13 Software Packing	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Timestomp	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
cRC31pEDkr.exe	67%	ReversingLabs	ByteCode-MSIL.Trojan.RedLine
cRC31pEDkr.exe	58%	Virustotal		Browse
cRC31pEDkr.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe	67%	ReversingLabs	ByteCode-MSIL.Trojan.RedLine

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
10.2.cRC31pEDkr.exe.5a60000.5.unpack	100%	Avira	TR/NanoCore.fadte		Download File
14.2.KgZEfacljaFey.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7		Download File

Domains

Source	Detection	Scanner	Label	Link
elzy.ddns.net	5%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.fontbureau.comgreta	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fontbureau.com9	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.carterandcone.como.	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.fontbureau.comcomd	0%	URL Reputation	safe
http://www.carterandcone.comX	0%	URL Reputation	safe
http://www.fontbureau.comk:	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/K	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/B	0%	URL Reputation	safe
http://www.fontbureau.come.com	0%	URL Reputation	safe
http://www.sandoll.co.krUN.TTFq	0%	Avira URL Cloud	safe
http://en.w	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/t	0%	URL Reputation	safe
http://www.fontbureau.comals	0%	URL Reputation	safe
http://www.zhongyicts.com.cnF	0%	URL Reputation	safe
http://www.founder.com.cn/cn%	0%	URL Reputation	safe
http://www.fontbureau.comI.TTF	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/B	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/K	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.carterandcone.com/	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.fontbureau.com=	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/pa	0%	Avira URL Cloud	safe
http://www.carterandcone.comUI	0%	Avira URL Cloud	safe
http://www.fontbureau.comdfet	0%	Avira URL Cloud	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com.	0%	URL Reputation	safe
http://www.sandoll.co.krs-c	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cnp	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/s_tr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/Y	0%	URL Reputation	safe
http://www.carterandcone.como.T	0%	Avira URL Cloud	safe
http://www.fontbureau.comF	0%	URL Reputation	safe
http://www.carterandcone.comTC	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/o	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.fontbureau.comd	0%	URL Reputation	safe
http://www.founder.com.cn/cnalg	0%	Avira URL Cloud	safe
http://www.fontbureau.comalicB	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.carterandcone.comorm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0;	0%	Avira URL Cloud	safe
http://www.carterandcone.comiE	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/Y0MSB	0%	Avira URL Cloud	safe
http://www.carterandcone.comgU	0%	Avira URL Cloud	safe
http://www.tiro.com(T	0%	Avira URL Cloud	safe
http://www.fontbureau.comsivdo	0%	Avira URL Cloud	safe
http://www.agfamonotype.:	0%	Avira URL Cloud	safe
http://fontfabrik.com(	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cnai	0%	Avira URL Cloud	safe
http://www.carterandcone.comTCO	0%	Avira URL Cloud	safe
http://fontfabrik.comV	0%	Avira URL Cloud	safe
http://www.fontbureau.comFB	0%	Avira URL Cloud	safe
elzy.ddns.net	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/q	0%	Avira URL Cloud	safe
http://www.fontbureau.comF:	0%	Avira URL Cloud	safe
http://www.sajatypeworks.comb-n	0%	Avira URL Cloud	safe
127.0.0.1	0%	Avira URL Cloud	safe
http://www.fontbureau.comonyo	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com.I	0%	Avira URL Cloud	safe
http://www.fontbureau.comsivr	0%	Avira URL Cloud	safe
http://www.fontbureau.comtur	0%	Avira URL Cloud	safe
http://www.fontbureau.comcomFB	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cn%I	0%	Avira URL Cloud	safe
http://www.fontbureau.comuB	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/H	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
elzy.ddns.net	194.5.98.22	true	true	5%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
elzy.ddns.net	true	Avira URL Cloud: safe	unknown
127.0.0.1	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designers/frere-jones.htmld.	cRC31pEDkr.exe, 00000000.00000003.305229705.00000000061C3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305432351.00000000061C3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305570163.00000000061C3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305615259.00000000061C3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305068245.00000000061C4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305000246.00000000061C3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305285674.00000000061C3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305526668.00000000061C3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305173293.00000000061C3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305483804.00000000061C3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/pa	cRC31pEDkr.exe, 00000000.00000003.298728068.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298967599.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298859286.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298663743.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298929001.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	cRC31pEDkr.exe, 00000000.00000003.304695105.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304762717.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.295924683.0000000006192000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comk:	cRC31pEDkr.exe, 00000000.00000003.306651559.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306765652.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306221985.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306335557.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.307034097.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306899940.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.307202697.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306566595.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.307122475.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306708081.00000000061B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comUI	cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299700076.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299806283.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299958934.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comgreta	cRC31pEDkr.exe, 00000000.00000003.313368578.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313245718.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.312989584.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313086465.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313567844.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313446406.00000000061AF000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.krUN.TTFq	cRC31pEDkr.exe, 00000000.00000003.298180772.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298215222.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com9	cRC31pEDkr.exe, 00000000.00000003.306651559.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305285674.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306012535.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305615259.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306765652.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305740219.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306221985.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305962193.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305830017.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306335557.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305783137.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305570163.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305229705.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305910322.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306141858.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305173293.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306566595.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305068245.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306708081.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305432351.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305703104.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ascendercorp.com/typedesigners.html	cRC31pEDkr.exe, 00000000.00000003.301785059.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301845055.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301752812.00000000061B4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comdfet	cRC31pEDkr.exe, 00000000.00000003.304814982.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305285674.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305000246.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305229705.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304911562.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305173293.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305068245.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304695105.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304762717.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305432351.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305526668.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304864258.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	cRC31pEDkr.exe, 00000000.00000003.299274112.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299398041.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299487627.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299442136.00000000061B9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	cRC31pEDkr.exe, 00000000.00000002.345847320.0000000003251000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000002.345847320.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, KgZEfacljaFey.exe, 00000007.00000002.388126518.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, KgZEfacljaFey.exe, 00000007.00000002.388126518.0000000002EED000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 0000000A.00000002.562803290.00000000026D1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.como.	cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299958934.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com=	cRC31pEDkr.exe, 00000000.00000003.305285674.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305000246.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305229705.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305173293.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305068245.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305432351.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305526668.00000000061B4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.galapagosdesign.com/	cRC31pEDkr.exe, 00000000.00000003.308327351.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.308403894.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.308132703.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.308242645.00000000061B1000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.como.T	cRC31pEDkr.exe, 00000000.00000003.299661403.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299622371.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300300850.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299487627.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300199248.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299442136.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299700076.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299806283.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299958934.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300143320.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comcomd	cRC31pEDkr.exe, 00000000.00000003.305285674.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305615259.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305740219.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305570163.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305229705.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305173293.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305068245.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305432351.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305703104.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305526668.00000000061B4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comX	cRC31pEDkr.exe, 00000000.00000003.300199248.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299806283.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299958934.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300143320.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnalg	cRC31pEDkr.exe, 00000000.00000003.298728068.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298967599.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298859286.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298515941.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299115455.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298663743.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298929001.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/K	cRC31pEDkr.exe, 00000000.00000003.301234096.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301785059.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301578884.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302112307.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301845055.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301752812.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301721227.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301955327.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302191536.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comalicB	cRC31pEDkr.exe, 00000000.00000003.305962193.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305910322.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/B	cRC31pEDkr.exe, 00000000.00000003.301490267.00000000061B0000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301430204.00000000061AF000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.come.com	cRC31pEDkr.exe, 00000000.00000003.313368578.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313245718.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313086465.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313567844.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313446406.00000000061AF000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000002.355271792.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://en.w	cRC31pEDkr.exe, 00000000.00000003.297044710.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296998530.00000000061B7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comiE	cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299958934.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/Y0;	cRC31pEDkr.exe, 00000000.00000003.301578884.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301490267.00000000061B0000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301430204.00000000061AF000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301752812.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301721227.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/	cRC31pEDkr.exe, 00000000.00000003.298215222.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298249561.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298663743.00000000061B2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/Y0MSB	cRC31pEDkr.exe, 00000000.00000003.301234096.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/t	cRC31pEDkr.exe, 00000000.00000003.301578884.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301490267.00000000061B0000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301430204.00000000061AF000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301752812.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301721227.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comgU	cRC31pEDkr.exe, 00000000.00000003.299661403.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299622371.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299487627.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299700076.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299806283.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299958934.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com(T	cRC31pEDkr.exe, 00000000.00000003.299081793.000000000187C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.comsivdo	cRC31pEDkr.exe, 00000000.00000003.306651559.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306765652.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306221985.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306335557.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306141858.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306566595.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306708081.00000000061B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.agfamonotype.:	cRC31pEDkr.exe, 00000000.00000003.312291594.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.312434363.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comals	cRC31pEDkr.exe, 00000000.00000003.305830017.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305910322.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com(	cRC31pEDkr.exe, 00000000.00000003.296893411.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296871633.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296944042.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296795116.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296850779.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296915043.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296828770.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296755309.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296778637.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.zhongyicts.com.cnF	cRC31pEDkr.exe, 00000000.00000003.299661403.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299274112.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299622371.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299398041.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299487627.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299442136.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299700076.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299806283.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299958934.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cnai	cRC31pEDkr.exe, 00000000.00000003.299661403.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299274112.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299622371.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299398041.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299487627.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299442136.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299700076.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299806283.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn%	cRC31pEDkr.exe, 00000000.00000003.298728068.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299661403.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299274112.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299622371.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299398041.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300300850.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298967599.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298859286.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299487627.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298515941.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300199248.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299442136.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299115455.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299194871.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299700076.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299806283.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299958934.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298663743.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298929001.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersG	cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comI.TTF	cRC31pEDkr.exe, 00000000.00000003.306651559.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306012535.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306765652.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305740219.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306221985.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305962193.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305830017.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306335557.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305783137.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305910322.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306141858.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306566595.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306708081.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306063064.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.comV	cRC31pEDkr.exe, 00000000.00000003.296795116.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296778637.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/B	cRC31pEDkr.exe, 00000000.00000003.301785059.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301578884.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302112307.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301845055.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301752812.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301721227.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301955327.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302191536.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersL	cRC31pEDkr.exe, 00000000.00000003.304353505.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/jp/K	cRC31pEDkr.exe, 00000000.00000003.301490267.00000000061B0000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301430204.00000000061AF000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comTCO	cRC31pEDkr.exe, 00000000.00000003.300199248.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300143320.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298929001.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299081793.000000000187C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.com/	cRC31pEDkr.exe, 00000000.00000003.299661403.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299622371.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299398041.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299487627.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299442136.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299700076.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299806283.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comFB	cRC31pEDkr.exe, 00000000.00000003.306141858.00000000061B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr	cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.com	cRC31pEDkr.exe, 00000000.00000003.299661403.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299622371.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299398041.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300300850.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299487627.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300199248.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299442136.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299700076.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299806283.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299958934.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300143320.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.com.	cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299958934.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.krs-c	cRC31pEDkr.exe, 00000000.00000003.298180772.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298129567.00000000061AF000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	cRC31pEDkr.exe, 00000000.00000003.308242645.00000000061B1000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.309287347.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.309054521.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	cRC31pEDkr.exe, 00000000.00000003.296795116.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296850779.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296828770.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.296726022.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnp	cRC31pEDkr.exe, 00000000.00000003.298437658.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298492392.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/q	cRC31pEDkr.exe, 00000000.00000003.308132703.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comF:	cRC31pEDkr.exe, 00000000.00000003.313368578.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313245718.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.312989584.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313086465.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313567844.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313446406.00000000061AF000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000002.355271792.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersx	cRC31pEDkr.exe, 00000000.00000003.304597500.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/s_tr	cRC31pEDkr.exe, 00000000.00000003.302453010.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301785059.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302393161.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302254936.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301578884.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302112307.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301490267.00000000061B0000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301845055.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302501034.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301752812.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301721227.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301955327.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302344077.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302191536.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.comb-n	cRC31pEDkr.exe, 00000000.00000003.295924683.0000000006192000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	cRC31pEDkr.exe, 00000000.00000003.298180772.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298129567.00000000061AF000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298291425.00000000061B0000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298215222.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298249561.00000000061B1000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersn	cRC31pEDkr.exe, 00000000.00000003.304353505.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/jp/Y	cRC31pEDkr.exe, 00000000.00000003.304174210.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304255888.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302711504.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302453010.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.303976325.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301785059.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.303455893.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302393161.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302254936.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.303356467.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304105124.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301578884.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302112307.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302841481.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301490267.00000000061B0000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302937899.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301845055.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.303747330.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302501034.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302640559.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.303072404.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comonyo	cRC31pEDkr.exe, 00000000.00000003.304353505.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299194871.00000000061AB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	cRC31pEDkr.exe, 00000000.00000003.306651559.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306012535.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306765652.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304421291.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306221985.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304353505.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304556150.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305962193.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305830017.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306335557.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306899940.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305910322.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306141858.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304597500.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306566595.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304305637.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304506350.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306708081.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306063064.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fontbureau.comF	cRC31pEDkr.exe, 00000000.00000003.304814982.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306651559.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305285674.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306012535.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305615259.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306765652.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305740219.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305000246.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306221985.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305962193.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305830017.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306335557.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305783137.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305570163.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305229705.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306899940.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305910322.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306141858.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304911562.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305173293.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306566595.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comTC	cRC31pEDkr.exe, 00000000.00000003.300143320.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comsivr	cRC31pEDkr.exe, 00000000.00000003.304305637.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com.I	cRC31pEDkr.exe, 00000000.00000003.295924683.0000000006192000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/o	cRC31pEDkr.exe, 00000000.00000003.301785059.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301578884.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302112307.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301845055.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301752812.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301721227.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301955327.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302191536.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comcomFB	cRC31pEDkr.exe, 00000000.00000003.306651559.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306765652.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306221985.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306335557.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306899940.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306566595.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.306708081.00000000061B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comtur	cRC31pEDkr.exe, 00000000.00000003.304814982.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305285674.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305615259.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305000246.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305570163.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305229705.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304597500.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304911562.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305173293.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305068245.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304695105.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304762717.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305432351.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305703104.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305526668.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304864258.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/H	cRC31pEDkr.exe, 00000000.00000003.298728068.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299661403.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299274112.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299622371.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299398041.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300300850.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298967599.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298859286.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299487627.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298515941.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300199248.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299442136.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299115455.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299194871.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300062616.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299700076.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299806283.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299958934.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298663743.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.299896606.00000000061B9000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298929001.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	cRC31pEDkr.exe, 00000000.00000003.302191536.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comd	cRC31pEDkr.exe, 00000000.00000003.304814982.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305285674.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305615259.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305740219.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305000246.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304556150.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305570163.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305229705.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304597500.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304911562.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305173293.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305068245.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304695105.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304762717.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305432351.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305703104.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.305526668.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304864258.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn%I	cRC31pEDkr.exe, 00000000.00000003.299274112.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designers/cabarga.htmlN	cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	cRC31pEDkr.exe, 00000000.00000003.298437658.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298515941.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298663743.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.298492392.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comuB	cRC31pEDkr.exe, 00000000.00000003.313368578.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313245718.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313086465.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.313446406.00000000061AF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comorm	cRC31pEDkr.exe, 00000000.00000003.300199248.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.300143320.00000000061B8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	cRC31pEDkr.exe, 00000000.00000003.301430204.00000000061AF000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301752812.00000000061B4000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301721227.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.301955327.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302344077.00000000061B2000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.302191536.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	cRC31pEDkr.exe, 00000000.00000002.355816289.00000000073A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/	cRC31pEDkr.exe, 00000000.00000003.304305637.00000000061BB000.00000004.00000020.00020000.00000000.sdmp, cRC31pEDkr.exe, 00000000.00000003.304305637.00000000061B3000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.5.98.22	elzy.ddns.net	Netherlands		208476	DANILENKODE	true

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	800441
Start date and time:	2023-02-07 13:58:11 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 13s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	cRC31pEDkr.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@22/12@10/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 94% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe, WmiPrvSE.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:59:13	API Interceptor	784x Sleep call for process: cRC31pEDkr.exe modified
13:59:17	Task Scheduler	Run new task: KgZEfacljaFey path: C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe
13:59:18	API Interceptor	55x Sleep call for process: powershell.exe modified
13:59:32	API Interceptor	1x Sleep call for process: KgZEfacljaFey.exe modified

Process:	C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cRC31pEDkr.exe.log

Download File

Process:	C:\Users\user\Desktop\cRC31pEDkr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	21864
Entropy (8bit):	5.598059944466488
Encrypted:	false
SSDEEP:	384:+tCRLq0+3R2EYf3YSVxnejulrItCiJ9g9SJ3uyV1lm0ZSAVrdt8hqA+iRYg:bDgUxeClrSy9cuG3Uqg
MD5:	F0E335C7015467AA88CB725D1E79D3E3
SHA1:	2CB9B862933DC5AF60596D12EDB1F676C4AD9B6F
SHA-256:	C02AE364FCD84F5B4E478CB668B7F578C55E678AF9EE4C30254FB90B30BD0422
SHA-512:	8CE3A87486B215ABCDB564EBC8489E1D88065F7936D5234E6BCC201A1D34C4845D618CBC04F95F40700170A806881486B2E45E2F161188B9FD19831C24F8EB22
Malicious:	false
Preview:	@...e...............................:.X..............@..........H...............<@.^.L."My...:P..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l55gaxga.5bu.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wn1bnogj.r25.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xlbtqxm5.ana.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z0sc0zox.gi0.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\tmp5E04.tmp

Download File

Process:	C:\Users\user\Desktop\cRC31pEDkr.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	5.134330559128222
Encrypted:	false
SSDEEP:	24:2di4+S2qh/a1Kby1moqUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaxvn:cgeCaYrFdOFzOzN33ODOiDdKrsuTuv
MD5:	B60F588C1155AF27B4F7C47D9BA68B63
SHA1:	060A5DB198839D2D4D33E2DA93540D3BD1851042
SHA-256:	4467302D8DE2891402E2EC25B9824333F433D46A306D120E32D93BE4F216C492
SHA-512:	89527F28ED63991D6B1C0D18FDA21F9CF77E0CAB8EEA228359B9781C57FCE2D5EDACDBE5F26C5EB39DEE9C9B0384BD9C89628991D6A5C53B4C87B426410FD537
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Local\Temp\tmpAD4D.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	5.134330559128222
Encrypted:	false
SSDEEP:	24:2di4+S2qh/a1Kby1moqUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaxvn:cgeCaYrFdOFzOzN33ODOiDdKrsuTuv
MD5:	B60F588C1155AF27B4F7C47D9BA68B63
SHA1:	060A5DB198839D2D4D33E2DA93540D3BD1851042
SHA-256:	4467302D8DE2891402E2EC25B9824333F433D46A306D120E32D93BE4F216C492
SHA-512:	89527F28ED63991D6B1C0D18FDA21F9CF77E0CAB8EEA228359B9781C57FCE2D5EDACDBE5F26C5EB39DEE9C9B0384BD9C89628991D6A5C53B4C87B426410FD537
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Download File

Process:	C:\Users\user\Desktop\cRC31pEDkr.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:CS:P
MD5:	76420758AE4C29CAAD2AA6B116E41716
SHA1:	59893B920B4F94B033959DA9C02E6156E8DD98DF
SHA-256:	136D683384EA664828711F6043304C6D2A1E89C3F8DAD346F6007FF13DD5F45D
SHA-512:	892DCB7634396D212CFA50CCA7610683BC01B83743131BE2F700912617F563498EBE2F0450DD59CF46448A298DB2A37C68394DEFF8A00D5480CD68F6A509FB64
Malicious:	true
Preview:	of.V..H

C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe

Download File

Process:	C:\Users\user\Desktop\cRC31pEDkr.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	705536
Entropy (8bit):	7.810105998338931
Encrypted:	false
SSDEEP:	12288:VVC66Bm2iNNHOp7HPfubIVc1E0cE3UyV5sXoDCnJ8OSTaHlUI1FuH66B:GVM1rut21E0cEkI24D6PSuHlvuHV
MD5:	AC2609D2181F756550E3C180329B121C
SHA1:	2AC2462013BE76E3BB606C7DEAEC5E0E4609CD59
SHA-256:	9730AEE1D4D04BB12E1DF2A5550741EED7266625F8D99443DD0CD0DFFCA07112
SHA-512:	EE9DC08DD3E713FFE4A7FB658A37E8C689A5CDAC7E1CFA6FB3A26A048663FF70B524C49FCEF3B0C033D4DD2EFBE290E2DC62BE74145C461D1E711356C826CDA2
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 67%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................... ............@.....................................O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........f...w...........................................................0............}......}.....(.......(........}.......s....}..... .... ....s....}......{......s....}.....{....r...po......(.....{....o......{......o......{....o..........s....s....}.....(......(.....{....o.....*....0.............{.....X}.....{.....].....,-..{....(....o......{....o....(....o.....8......{....( ...o......{....o....( ...o.......(......{....,..{.......+....,..(.....{......s....o........{....o!..

C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\cRC31pEDkr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.810105998338931
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	cRC31pEDkr.exe
File size:	705536
MD5:	ac2609d2181f756550e3c180329b121c
SHA1:	2ac2462013be76e3bb606c7deaec5e0e4609cd59
SHA256:	9730aee1d4d04bb12e1df2a5550741eed7266625f8d99443dd0cd0dffca07112
SHA512:	ee9dc08dd3e713ffe4a7fb658a37e8c689a5cdac7e1cfa6fb3a26a048663ff70b524c49fcef3b0c033d4dd2efbe290e2dc62be74145c461d1e711356c826cda2
SSDEEP:	12288:VVC66Bm2iNNHOp7HPfubIVc1E0cE3UyV5sXoDCnJ8OSTaHlUI1FuH66B:GVM1rut21E0cEkI24D6PSuHlvuHV
TLSH:	39E401811D64CA58E2F90EBD0F7C5A2D8FF45C9923E3E2B40BE6B4D9A463783C815536
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x4ad902
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xF2C4F3B5 [Sun Jan 25 03:08:37 2099 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xad8b0	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xae000	0x5bc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xad894	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xab908	0xaba00	False	0.8738022350691915	data	7.818047676595979	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xae000	0x5bc	0x600	False	0.4283854166666667	data	4.10376699366461	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb0000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xae090	0x32c	data
RT_MANIFEST	0xae3cc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 7, 2023 13:59:31.713982105 CET	49701	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 13:59:31.757090092 CET	2000	49701	194.5.98.22	192.168.2.5
Feb 7, 2023 13:59:32.392255068 CET	49701	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 13:59:32.435534000 CET	2000	49701	194.5.98.22	192.168.2.5
Feb 7, 2023 13:59:33.001553059 CET	49701	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 13:59:33.044615030 CET	2000	49701	194.5.98.22	192.168.2.5
Feb 7, 2023 13:59:37.180790901 CET	49702	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 13:59:37.223854065 CET	2000	49702	194.5.98.22	192.168.2.5
Feb 7, 2023 13:59:37.845783949 CET	49702	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 13:59:37.888947010 CET	2000	49702	194.5.98.22	192.168.2.5
Feb 7, 2023 13:59:38.549042940 CET	49702	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 13:59:38.592144012 CET	2000	49702	194.5.98.22	192.168.2.5
Feb 7, 2023 13:59:42.792201996 CET	49703	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 13:59:42.835329056 CET	2000	49703	194.5.98.22	192.168.2.5
Feb 7, 2023 13:59:43.346213102 CET	49703	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 13:59:43.389285088 CET	2000	49703	194.5.98.22	192.168.2.5
Feb 7, 2023 13:59:44.049402952 CET	49703	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 13:59:44.092649937 CET	2000	49703	194.5.98.22	192.168.2.5
Feb 7, 2023 14:00:04.116805077 CET	49710	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 14:00:04.159924030 CET	2000	49710	194.5.98.22	192.168.2.5
Feb 7, 2023 14:00:04.660533905 CET	49710	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 14:00:04.703702927 CET	2000	49710	194.5.98.22	192.168.2.5
Feb 7, 2023 14:00:05.207479000 CET	49710	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 14:00:05.250614882 CET	2000	49710	194.5.98.22	192.168.2.5
Feb 7, 2023 14:00:09.301789045 CET	49712	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 14:00:09.344774961 CET	2000	49712	194.5.98.22	192.168.2.5
Feb 7, 2023 14:00:09.848398924 CET	49712	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 14:00:09.891593933 CET	2000	49712	194.5.98.22	192.168.2.5
Feb 7, 2023 14:00:10.395400047 CET	49712	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 14:00:10.438546896 CET	2000	49712	194.5.98.22	192.168.2.5
Feb 7, 2023 14:00:14.486471891 CET	49713	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 14:00:14.530375004 CET	2000	49713	194.5.98.22	192.168.2.5
Feb 7, 2023 14:00:15.036335945 CET	49713	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 14:00:15.081300020 CET	2000	49713	194.5.98.22	192.168.2.5
Feb 7, 2023 14:00:15.583241940 CET	49713	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 14:00:15.626451015 CET	2000	49713	194.5.98.22	192.168.2.5
Feb 7, 2023 14:00:35.702507973 CET	49718	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 14:00:35.745628119 CET	2000	49718	194.5.98.22	192.168.2.5
Feb 7, 2023 14:00:36.256872892 CET	49718	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 14:00:36.300020933 CET	2000	49718	194.5.98.22	192.168.2.5
Feb 7, 2023 14:00:36.803818941 CET	49718	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 14:00:36.846869946 CET	2000	49718	194.5.98.22	192.168.2.5
Feb 7, 2023 14:00:41.506460905 CET	49719	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 14:00:41.549746990 CET	2000	49719	194.5.98.22	192.168.2.5
Feb 7, 2023 14:00:42.054270983 CET	49719	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 14:00:42.097364902 CET	2000	49719	194.5.98.22	192.168.2.5
Feb 7, 2023 14:00:42.663737059 CET	49719	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 14:00:42.708404064 CET	2000	49719	194.5.98.22	192.168.2.5
Feb 7, 2023 14:00:46.919289112 CET	49721	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 14:00:46.962531090 CET	2000	49721	194.5.98.22	192.168.2.5
Feb 7, 2023 14:00:47.476569891 CET	49721	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 14:00:47.519581079 CET	2000	49721	194.5.98.22	192.168.2.5
Feb 7, 2023 14:00:48.023495913 CET	49721	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 14:00:48.066632986 CET	2000	49721	194.5.98.22	192.168.2.5
Feb 7, 2023 14:01:07.652275085 CET	49726	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 14:01:07.695615053 CET	2000	49726	194.5.98.22	192.168.2.5
Feb 7, 2023 14:01:08.207467079 CET	49726	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 14:01:08.250525951 CET	2000	49726	194.5.98.22	192.168.2.5
Feb 7, 2023 14:01:08.762331963 CET	49726	2000	192.168.2.5	194.5.98.22
Feb 7, 2023 14:01:08.805807114 CET	2000	49726	194.5.98.22	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 7, 2023 13:59:31.679389000 CET	61893	53	192.168.2.5	8.8.8.8
Feb 7, 2023 13:59:31.699139118 CET	53	61893	8.8.8.8	192.168.2.5
Feb 7, 2023 13:59:37.159048080 CET	60649	53	192.168.2.5	8.8.8.8
Feb 7, 2023 13:59:37.179442883 CET	53	60649	8.8.8.8	192.168.2.5
Feb 7, 2023 13:59:42.715939045 CET	51441	53	192.168.2.5	8.8.8.8
Feb 7, 2023 13:59:42.735929966 CET	53	51441	8.8.8.8	192.168.2.5
Feb 7, 2023 14:00:04.092628002 CET	65323	53	192.168.2.5	8.8.8.8
Feb 7, 2023 14:00:04.113540888 CET	53	65323	8.8.8.8	192.168.2.5
Feb 7, 2023 14:00:09.282095909 CET	63446	53	192.168.2.5	8.8.8.8
Feb 7, 2023 14:00:09.300489902 CET	53	63446	8.8.8.8	192.168.2.5
Feb 7, 2023 14:00:14.467171907 CET	56751	53	192.168.2.5	8.8.8.8
Feb 7, 2023 14:00:14.485213041 CET	53	56751	8.8.8.8	192.168.2.5
Feb 7, 2023 14:00:35.679114103 CET	60975	53	192.168.2.5	8.8.8.8
Feb 7, 2023 14:00:35.700711012 CET	53	60975	8.8.8.8	192.168.2.5
Feb 7, 2023 14:00:41.407455921 CET	59220	53	192.168.2.5	8.8.8.8
Feb 7, 2023 14:00:41.429548979 CET	53	59220	8.8.8.8	192.168.2.5
Feb 7, 2023 14:00:46.845959902 CET	56682	53	192.168.2.5	8.8.8.8
Feb 7, 2023 14:00:46.865693092 CET	53	56682	8.8.8.8	192.168.2.5
Feb 7, 2023 14:01:07.633317947 CET	62659	53	192.168.2.5	8.8.8.8
Feb 7, 2023 14:01:07.651314974 CET	53	62659	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 7, 2023 13:59:31.679389000 CET	192.168.2.5	8.8.8.8	0xb8e1	Standard query (0)	elzy.ddns.net	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:59:37.159048080 CET	192.168.2.5	8.8.8.8	0xc0cd	Standard query (0)	elzy.ddns.net	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:59:42.715939045 CET	192.168.2.5	8.8.8.8	0xc75e	Standard query (0)	elzy.ddns.net	A (IP address)	IN (0x0001)	false
Feb 7, 2023 14:00:04.092628002 CET	192.168.2.5	8.8.8.8	0x1f49	Standard query (0)	elzy.ddns.net	A (IP address)	IN (0x0001)	false
Feb 7, 2023 14:00:09.282095909 CET	192.168.2.5	8.8.8.8	0x26db	Standard query (0)	elzy.ddns.net	A (IP address)	IN (0x0001)	false
Feb 7, 2023 14:00:14.467171907 CET	192.168.2.5	8.8.8.8	0x8558	Standard query (0)	elzy.ddns.net	A (IP address)	IN (0x0001)	false
Feb 7, 2023 14:00:35.679114103 CET	192.168.2.5	8.8.8.8	0xdfdc	Standard query (0)	elzy.ddns.net	A (IP address)	IN (0x0001)	false
Feb 7, 2023 14:00:41.407455921 CET	192.168.2.5	8.8.8.8	0x1d80	Standard query (0)	elzy.ddns.net	A (IP address)	IN (0x0001)	false
Feb 7, 2023 14:00:46.845959902 CET	192.168.2.5	8.8.8.8	0x7a18	Standard query (0)	elzy.ddns.net	A (IP address)	IN (0x0001)	false
Feb 7, 2023 14:01:07.633317947 CET	192.168.2.5	8.8.8.8	0xd446	Standard query (0)	elzy.ddns.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Feb 7, 2023 13:59:31.699139118 CET	8.8.8.8	192.168.2.5	0xb8e1	No error (0)	elzy.ddns.net	194.5.98.22	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:59:37.179442883 CET	8.8.8.8	192.168.2.5	0xc0cd	No error (0)	elzy.ddns.net	194.5.98.22	A (IP address)	IN (0x0001)	false
Feb 7, 2023 13:59:42.735929966 CET	8.8.8.8	192.168.2.5	0xc75e	No error (0)	elzy.ddns.net	194.5.98.22	A (IP address)	IN (0x0001)	false
Feb 7, 2023 14:00:04.113540888 CET	8.8.8.8	192.168.2.5	0x1f49	No error (0)	elzy.ddns.net	194.5.98.22	A (IP address)	IN (0x0001)	false
Feb 7, 2023 14:00:09.300489902 CET	8.8.8.8	192.168.2.5	0x26db	No error (0)	elzy.ddns.net	194.5.98.22	A (IP address)	IN (0x0001)	false
Feb 7, 2023 14:00:14.485213041 CET	8.8.8.8	192.168.2.5	0x8558	No error (0)	elzy.ddns.net	194.5.98.22	A (IP address)	IN (0x0001)	false
Feb 7, 2023 14:00:35.700711012 CET	8.8.8.8	192.168.2.5	0xdfdc	No error (0)	elzy.ddns.net	194.5.98.22	A (IP address)	IN (0x0001)	false
Feb 7, 2023 14:00:41.429548979 CET	8.8.8.8	192.168.2.5	0x1d80	No error (0)	elzy.ddns.net	194.5.98.22	A (IP address)	IN (0x0001)	false
Feb 7, 2023 14:00:46.865693092 CET	8.8.8.8	192.168.2.5	0x7a18	No error (0)	elzy.ddns.net	194.5.98.22	A (IP address)	IN (0x0001)	false
Feb 7, 2023 14:01:07.651314974 CET	8.8.8.8	192.168.2.5	0xd446	No error (0)	elzy.ddns.net	194.5.98.22	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	13:59:04
Start date:	07/02/2023
Path:	C:\Users\user\Desktop\cRC31pEDkr.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\cRC31pEDkr.exe
Imagebase:	0xe60000
File size:	705536 bytes
MD5 hash:	AC2609D2181F756550E3C180329B121C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.350028595.000000000436A000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.350028595.000000000436A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.350028595.000000000436A000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.350028595.000000000436A000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.345847320.0000000003251000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.345847320.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: powershell.exePID: 3492, Parent PID: 4064

General

Target ID:	1
Start time:	13:59:15
Start date:	07/02/2023
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\cRC31pEDkr.exe
Imagebase:	0xe80000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: conhost.exePID: 4580, Parent PID: 3492

General

Target ID:	2
Start time:	13:59:15
Start date:	07/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: powershell.exePID: 4332, Parent PID: 4064

General

Target ID:	3
Start time:	13:59:15
Start date:	07/02/2023
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe
Imagebase:	0xe80000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: conhost.exePID: 4592, Parent PID: 4332

General

Target ID:	4
Start time:	13:59:15
Start date:	07/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: schtasks.exePID: 4724, Parent PID: 4064

General

Target ID:	5
Start time:	13:59:15
Start date:	07/02/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KgZEfacljaFey" /XML "C:\Users\user\AppData\Local\Temp\tmp5E04.tmp
Imagebase:	0x820000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 4476, Parent PID: 4724

General

Target ID:	6
Start time:	13:59:15
Start date:	07/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: KgZEfacljaFey.exePID: 6040, Parent PID: 1084

General

Target ID:	7
Start time:	13:59:17
Start date:	07/02/2023
Path:	C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe
Imagebase:	0x7ff7fcd70000
File size:	705536 bytes
MD5 hash:	AC2609D2181F756550E3C180329B121C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000007.00000002.388126518.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000007.00000002.388126518.0000000002EED000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 67%, ReversingLabs
Reputation:	low

Analysis Process: cRC31pEDkr.exePID: 4980, Parent PID: 4064

General

Target ID:	8
Start time:	13:59:24
Start date:	07/02/2023
Path:	C:\Users\user\Desktop\cRC31pEDkr.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\cRC31pEDkr.exe
Imagebase:	0x1a0000
File size:	705536 bytes
MD5 hash:	AC2609D2181F756550E3C180329B121C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: cRC31pEDkr.exePID: 4556, Parent PID: 4064

General

Target ID:	9
Start time:	13:59:24
Start date:	07/02/2023
Path:	C:\Users\user\Desktop\cRC31pEDkr.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\cRC31pEDkr.exe
Imagebase:	0x2b0000
File size:	705536 bytes
MD5 hash:	AC2609D2181F756550E3C180329B121C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: cRC31pEDkr.exePID: 1876, Parent PID: 4064

General

Target ID:	10
Start time:	13:59:24
Start date:	07/02/2023
Path:	C:\Users\user\Desktop\cRC31pEDkr.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\cRC31pEDkr.exe
Imagebase:	0x450000
File size:	705536 bytes
MD5 hash:	AC2609D2181F756550E3C180329B121C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.562803290.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000A.00000002.562803290.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.567364411.0000000005290000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.567364411.0000000005290000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000A.00000002.567364411.0000000005290000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000A.00000002.567364411.0000000005290000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000A.00000002.566234207.000000000371B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000A.00000002.567497022.0000000005A60000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low

Analysis Process: schtasks.exePID: 5600, Parent PID: 6040

General

Target ID:	12
Start time:	13:59:36
Start date:	07/02/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KgZEfacljaFey" /XML "C:\Users\user\AppData\Local\Temp\tmpAD4D.tmp
Imagebase:	0x820000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 2056, Parent PID: 5600

General

Target ID:	13
Start time:	13:59:36
Start date:	07/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: KgZEfacljaFey.exePID: 5196, Parent PID: 6040

General

Target ID:	14
Start time:	13:59:43
Start date:	07/02/2023
Path:	C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\KgZEfacljaFey.exe
Imagebase:	0x750000
File size:	705536 bytes
MD5 hash:	AC2609D2181F756550E3C180329B121C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.404051124.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.404051124.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000E.00000002.404051124.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.401166525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.401166525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.401166525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000E.00000002.401166525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.403629575.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.403629575.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000E.00000002.403629575.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, Author: unknown

Disassembly

⊘No disassembly

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report cRC31pEDkr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

AV Detection

E-Banking Fraud

Persistence and Installation Behavior

Stealing of Sensitive Information

Remote Access Functionality

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\KgZEfacljaFey.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cRC31pEDkr.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l55gaxga.5bu.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wn1bnogj.r25.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xlbtqxm5.ana.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z0sc0zox.gi0.ps1

C:\Users\user\AppData\Local\Temp\tmp5E04.tmp

C:\Users\user\AppData\Local\Temp\tmpAD4D.tmp

Windows Analysis Report
cRC31pEDkr.exe

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre