Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report uqoYt8EFEWQXAne.exe

Overview

General Information

Sample Name:uqoYt8EFEWQXAne.exe
Analysis ID:356642
MD5:c415765ef678428f502b101039b7d495
SHA1:e5458ff58b98401d715a68a67afabdefaaf2edc3
SHA256:c024e649afaafd4d1a1ebc2c5a2c457eecd2b5994c2b78e32312eb5289b5c093
Tags:exeNanoCore
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
.NET source code contains very large strings
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • uqoYt8EFEWQXAne.exe (PID: 7160 cmdline: 'C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe' MD5: C415765EF678428F502B101039B7D495)
    • schtasks.exe (PID: 3984 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\krPtdhRIieabB' /XML 'C:\Users\user\AppData\Local\Temp\tmp975D.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • uqoYt8EFEWQXAne.exe (PID: 3040 cmdline: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe MD5: C415765EF678428F502B101039B7D495)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.661591930.0000000002511000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000000.00000002.661683281.0000000002599000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000000.00000002.662828873.0000000003794000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x3f54d:$x1: NanoCore.ClientPluginHost
      • 0x7258d:$x1: NanoCore.ClientPluginHost
      • 0x3f58a:$x2: IClientNetworkHost
      • 0x725ca:$x2: IClientNetworkHost
      • 0x430bd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      • 0x760fd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      00000000.00000002.662828873.0000000003794000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        00000000.00000002.662828873.0000000003794000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0x3f2b5:$a: NanoCore
        • 0x3f2c5:$a: NanoCore
        • 0x3f4f9:$a: NanoCore
        • 0x3f50d:$a: NanoCore
        • 0x3f54d:$a: NanoCore
        • 0x722f5:$a: NanoCore
        • 0x72305:$a: NanoCore
        • 0x72539:$a: NanoCore
        • 0x7254d:$a: NanoCore
        • 0x7258d:$a: NanoCore
        • 0x3f314:$b: ClientPlugin
        • 0x3f516:$b: ClientPlugin
        • 0x3f556:$b: ClientPlugin
        • 0x72354:$b: ClientPlugin
        • 0x72556:$b: ClientPlugin
        • 0x72596:$b: ClientPlugin
        • 0x3f43b:$c: ProjectData
        • 0x7247b:$c: ProjectData
        • 0x3fe42:$d: DESCrypto
        • 0x72e82:$d: DESCrypto
        • 0x4780e:$e: KeepAlive
        Click to see the 4 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe38d:$x1: NanoCore.ClientPluginHost
        • 0xe3ca:$x2: IClientNetworkHost
        • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xe105:$x1: NanoCore Client.exe
        • 0xe38d:$x2: NanoCore.ClientPluginHost
        • 0xf9c6:$s1: PluginCommand
        • 0xf9ba:$s2: FileCommand
        • 0x1086b:$s3: PipeExists
        • 0x16622:$s4: PipeCreated
        • 0xe3b7:$s5: IClientLoggingHost
        0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
          • 0xe0f5:$a: NanoCore
          • 0xe105:$a: NanoCore
          • 0xe339:$a: NanoCore
          • 0xe34d:$a: NanoCore
          • 0xe38d:$a: NanoCore
          • 0xe154:$b: ClientPlugin
          • 0xe356:$b: ClientPlugin
          • 0xe396:$b: ClientPlugin
          • 0xe27b:$c: ProjectData
          • 0xec82:$d: DESCrypto
          • 0x1664e:$e: KeepAlive
          • 0x1463c:$g: LogClientMessage
          • 0x10837:$i: get_Connected
          • 0xefb8:$j: #=q
          • 0xefe8:$j: #=q
          • 0xf004:$j: #=q
          • 0xf034:$j: #=q
          • 0xf050:$j: #=q
          • 0xf06c:$j: #=q
          • 0xf09c:$j: #=q
          • 0xf0b8:$j: #=q
          0.2.uqoYt8EFEWQXAne.exe.2546bb0.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 4 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe, ProcessId: 3040, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
            Sigma detected: Scheduled temp file as task from temp locationShow sources
            Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\krPtdhRIieabB' /XML 'C:\Users\user\AppData\Local\Temp\tmp975D.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\krPtdhRIieabB' /XML 'C:\Users\user\AppData\Local\Temp\tmp975D.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe' , ParentImage: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe, ParentProcessId: 7160, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\krPtdhRIieabB' /XML 'C:\Users\user\AppData\Local\Temp\tmp975D.tmp', ProcessId: 3984

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\krPtdhRIieabB.exeReversingLabs: Detection: 31%
            Multi AV Scanner detection for submitted fileShow sources
            Source: uqoYt8EFEWQXAne.exeVirustotal: Detection: 42%Perma Link
            Source: uqoYt8EFEWQXAne.exeReversingLabs: Detection: 31%
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 00000000.00000002.662828873.0000000003794000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: uqoYt8EFEWQXAne.exe PID: 7160, type: MEMORY
            Source: Yara matchFile source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.raw.unpack, type: UNPACKEDPE
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\krPtdhRIieabB.exeJoe Sandbox ML: detected
            Machine Learning detection for sampleShow sources
            Source: uqoYt8EFEWQXAne.exeJoe Sandbox ML: detected

            Compliance:

            barindex
            Uses 32bit PE filesShow sources
            Source: uqoYt8EFEWQXAne.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
            Source: uqoYt8EFEWQXAne.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49745 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49747 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49750 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49751 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49759 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49764 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49766 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49775 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49776 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49777 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49778 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49779 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49780 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49783 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49784 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49785 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49786 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49787 -> 185.239.242.243:2010
            Source: global trafficTCP traffic: 192.168.2.4:49745 -> 185.239.242.243:2010
            Source: Joe Sandbox ViewASN Name: CLOUDIE-AS-APCloudieLimitedHK CLOUDIE-AS-APCloudieLimitedHK
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000003.638312128.00000000054D5000.00000004.00000001.sdmpString found in binary or memory: http://en.wxK
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.661591930.0000000002511000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000003.642649855.000000000550D000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlmq
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000003.660725626.00000000054D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000003.660725626.00000000054D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgritaSOR
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000003.660725626.00000000054D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm=OD
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000003.640101915.00000000054DE000.00000004.00000001.sdmp, uqoYt8EFEWQXAne.exe, 00000000.00000003.640686280.00000000054D8000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000003.640371685.00000000054D7000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnL
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000003.640183149.0000000000BAD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnN
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000003.640183149.0000000000BAD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnO
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000003.640101915.00000000054DE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnmr_=
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000003.640371685.00000000054D7000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnn
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000003.644430876.0000000005505000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000003.637920168.00000000054D3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000003.637920168.00000000054D3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comZ
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000003.637920168.00000000054D3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.come
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmp, uqoYt8EFEWQXAne.exe, 00000000.00000003.639384165.00000000054EB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.661591930.0000000002511000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

            E-Banking Fraud:

            barindex
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 00000000.00000002.662828873.0000000003794000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: uqoYt8EFEWQXAne.exe PID: 7160, type: MEMORY
            Source: Yara matchFile source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.raw.unpack, type: UNPACKEDPE

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000000.00000002.662828873.0000000003794000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000000.00000002.662828873.0000000003794000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: Process Memory Space: uqoYt8EFEWQXAne.exe PID: 7160, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: Process Memory Space: uqoYt8EFEWQXAne.exe PID: 7160, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            .NET source code contains very large stringsShow sources
            Source: uqoYt8EFEWQXAne.exe, LogIn.csLong String: Length: 13656
            Source: krPtdhRIieabB.exe.0.dr, LogIn.csLong String: Length: 13656
            Source: 0.2.uqoYt8EFEWQXAne.exe.150000.0.unpack, LogIn.csLong String: Length: 13656
            Source: 0.0.uqoYt8EFEWQXAne.exe.150000.0.unpack, LogIn.csLong String: Length: 13656
            Source: 4.0.uqoYt8EFEWQXAne.exe.700000.0.unpack, LogIn.csLong String: Length: 13656
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeCode function: 0_2_00B9C508
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeCode function: 0_2_00B99990
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeCode function: 0_2_06D396F8
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeCode function: 0_2_06D30040
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeCode function: 0_2_06D30D90
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeCode function: 0_2_06D33278
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeCode function: 0_2_06D33269
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeCode function: 0_2_06D3301A
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeCode function: 0_2_06D33028
            Source: uqoYt8EFEWQXAne.exeBinary or memory string: OriginalFilename vs uqoYt8EFEWQXAne.exe
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000000.635181214.0000000000152000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIsolatedStorageFilePermissionAttribute.exe6 vs uqoYt8EFEWQXAne.exe
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.661591930.0000000002511000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAsyncState.dllF vs uqoYt8EFEWQXAne.exe
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.673360016.0000000008E20000.00000002.00000001.sdmpBinary or memory string: originalfilename vs uqoYt8EFEWQXAne.exe
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.673360016.0000000008E20000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs uqoYt8EFEWQXAne.exe
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.673206890.0000000008D30000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs uqoYt8EFEWQXAne.exe
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.669486065.0000000006B40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs uqoYt8EFEWQXAne.exe
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.669605854.0000000006CC0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLegacyPathHandling.dllN vs uqoYt8EFEWQXAne.exe
            Source: uqoYt8EFEWQXAne.exe, 00000004.00000000.659785837.0000000000702000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIsolatedStorageFilePermissionAttribute.exe6 vs uqoYt8EFEWQXAne.exe
            Source: uqoYt8EFEWQXAne.exeBinary or memory string: OriginalFilenameIsolatedStorageFilePermissionAttribute.exe6 vs uqoYt8EFEWQXAne.exe
            Source: uqoYt8EFEWQXAne.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 00000000.00000002.662828873.0000000003794000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000000.00000002.662828873.0000000003794000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: Process Memory Space: uqoYt8EFEWQXAne.exe PID: 7160, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: Process Memory Space: uqoYt8EFEWQXAne.exe PID: 7160, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: uqoYt8EFEWQXAne.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: krPtdhRIieabB.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: uqoYt8EFEWQXAne.exe, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
            Source: krPtdhRIieabB.exe.0.dr, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
            Source: 0.2.uqoYt8EFEWQXAne.exe.150000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
            Source: 0.0.uqoYt8EFEWQXAne.exe.150000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
            Source: 4.0.uqoYt8EFEWQXAne.exe.700000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
            Source: classification engineClassification label: mal100.troj.evad.winEXE@6/8@0/1
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeFile created: C:\Users\user\AppData\Roaming\krPtdhRIieabB.exeJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4680:120:WilError_01
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeMutant created: \Sessions\1\BaseNamedObjects\KDtpJHnhkvnJksKbat
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{9e8dc517-1111-49c1-9ace-3da1a887c465}
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeFile created: C:\Users\user\AppData\Local\Temp\tmp975D.tmpJump to behavior
            Source: uqoYt8EFEWQXAne.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.661591930.0000000002511000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.661591930.0000000002511000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
            Source: uqoYt8EFEWQXAne.exeVirustotal: Detection: 42%
            Source: uqoYt8EFEWQXAne.exeReversingLabs: Detection: 31%
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeFile read: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe 'C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe'
            Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\krPtdhRIieabB' /XML 'C:\Users\user\AppData\Local\Temp\tmp975D.tmp'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\krPtdhRIieabB' /XML 'C:\Users\user\AppData\Local\Temp\tmp975D.tmp'
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess created: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: uqoYt8EFEWQXAne.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: uqoYt8EFEWQXAne.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: uqoYt8EFEWQXAne.exe, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: krPtdhRIieabB.exe.0.dr, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.2.uqoYt8EFEWQXAne.exe.150000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.0.uqoYt8EFEWQXAne.exe.150000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 4.0.uqoYt8EFEWQXAne.exe.700000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeCode function: 0_2_06D365EC push eax; retf
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeCode function: 0_2_06D36DEC push eax; ret
            Source: initial sampleStatic PE information: section name: .text entropy: 7.49785747568
            Source: initial sampleStatic PE information: section name: .text entropy: 7.49785747568
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeFile created: C:\Users\user\AppData\Roaming\krPtdhRIieabB.exeJump to dropped file

            Boot Survival:

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
            Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\krPtdhRIieabB' /XML 'C:\Users\user\AppData\Local\Temp\tmp975D.tmp'

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeFile opened: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe:Zone.Identifier read attributes | delete
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM_3Show sources
            Source: Yara matchFile source: 00000000.00000002.661591930.0000000002511000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.661683281.0000000002599000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: uqoYt8EFEWQXAne.exe PID: 7160, type: MEMORY
            Source: Yara matchFile source: 0.2.uqoYt8EFEWQXAne.exe.2546bb0.1.raw.unpack, type: UNPACKEDPE
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.661683281.0000000002599000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.661591930.0000000002511000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.661591930.0000000002511000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWindow / User API: threadDelayed 4363
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWindow / User API: threadDelayed 5112
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWindow / User API: foregroundWindowGot 653
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWindow / User API: foregroundWindowGot 783
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe TID: 7164Thread sleep time: -103651s >= -30000s
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe TID: 4660Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe TID: 5112Thread sleep time: -15679732462653109s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.661591930.0000000002511000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.661591930.0000000002511000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.661683281.0000000002599000.00000004.00000001.sdmpBinary or memory string: k%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.661683281.0000000002599000.00000004.00000001.sdmpBinary or memory string: k"SOFTWARE\VMware, Inc.\VMware T
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.661683281.0000000002599000.00000004.00000001.sdmpBinary or memory string: VMWARE
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.661683281.0000000002599000.00000004.00000001.sdmpBinary or memory string: k"SOFTWARE\VMware, Inc.\VMware T<
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.661591930.0000000002511000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.661683281.0000000002599000.00000004.00000001.sdmpBinary or memory string: k"SOFTWARE\VMware, Inc.\VMware Tools
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.661591930.0000000002511000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information queried: ProcessInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeMemory written: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe base: 400000 value starts with: 4D5A
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\krPtdhRIieabB' /XML 'C:\Users\user\AppData\Local\Temp\tmp975D.tmp'
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess created: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

            Stealing of Sensitive Information:

            barindex
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 00000000.00000002.662828873.0000000003794000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: uqoYt8EFEWQXAne.exe PID: 7160, type: MEMORY
            Source: Yara matchFile source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.raw.unpack, type: UNPACKEDPE

            Remote Access Functionality:

            barindex
            Detected Nanocore RatShow sources
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.662828873.0000000003794000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 00000000.00000002.662828873.0000000003794000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: uqoYt8EFEWQXAne.exe PID: 7160, type: MEMORY
            Source: Yara matchFile source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.raw.unpack, type: UNPACKEDPE

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation11Scheduled Task/Job1Process Injection111Masquerading1OS Credential DumpingSecurity Software Discovery321Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Virtualization/Sandbox Evasion13LSASS MemoryVirtualization/Sandbox Evasion13Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection111NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptHidden Files and Directories1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information21Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing12DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            uqoYt8EFEWQXAne.exe43%VirustotalBrowse
            uqoYt8EFEWQXAne.exe32%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
            uqoYt8EFEWQXAne.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\krPtdhRIieabB.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\krPtdhRIieabB.exe32%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://en.wxK0%Avira URL Cloudsafe
            http://www.founder.com.cn/cnO0%Avira URL Cloudsafe
            http://www.founder.com.cn/cnN0%Avira URL Cloudsafe
            http://www.fontbureau.comF0%URL Reputationsafe
            http://www.fontbureau.comF0%URL Reputationsafe
            http://www.fontbureau.comF0%URL Reputationsafe
            http://www.fontbureau.comF0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.founder.com.cn/cnL0%Avira URL Cloudsafe
            http://www.fontbureau.comgritaSOR0%Avira URL Cloudsafe
            http://www.fontbureau.comm=OD0%Avira URL Cloudsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.founder.com.cn/cnmr_=0%Avira URL Cloudsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.founder.com.cn/cn/0%URL Reputationsafe
            http://www.founder.com.cn/cn/0%URL Reputationsafe
            http://www.founder.com.cn/cn/0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.ascendercorp.com/typedesigners.htmlmq0%Avira URL Cloudsafe
            http://www.monotype.0%URL Reputationsafe
            http://www.monotype.0%URL Reputationsafe
            http://www.monotype.0%URL Reputationsafe
            http://www.sajatypeworks.comZ0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.sajatypeworks.come0%URL Reputationsafe
            http://www.sajatypeworks.come0%URL Reputationsafe
            http://www.sajatypeworks.come0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://en.wxKuqoYt8EFEWQXAne.exe, 00000000.00000003.638312128.00000000054D5000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.founder.com.cn/cnOuqoYt8EFEWQXAne.exe, 00000000.00000003.640183149.0000000000BAD000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.founder.com.cn/cnNuqoYt8EFEWQXAne.exe, 00000000.00000003.640183149.0000000000BAD000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.apache.org/licenses/LICENSE-2.0uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
              		high
              http://www.fontbureau.comuqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
                		high
                http://www.fontbureau.com/designersGuqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
                  		high
                  http://www.fontbureau.comFuqoYt8EFEWQXAne.exe, 00000000.00000003.660725626.00000000054D0000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers/?uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
                    		high
                    http://www.founder.com.cn/cn/bTheuqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cnLuqoYt8EFEWQXAne.exe, 00000000.00000003.640371685.00000000054D7000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.fontbureau.comgritaSORuqoYt8EFEWQXAne.exe, 00000000.00000003.660725626.00000000054D0000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.fontbureau.com/designers?uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
                      		high
                      http://www.fontbureau.comm=ODuqoYt8EFEWQXAne.exe, 00000000.00000003.660725626.00000000054D0000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.tiro.comuqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmp, uqoYt8EFEWQXAne.exe, 00000000.00000003.639384165.00000000054EB000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designersuqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
                        		high
                        http://www.goodfont.co.kruqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssuqoYt8EFEWQXAne.exe, 00000000.00000002.661591930.0000000002511000.00000004.00000001.sdmpfalse
                          		high
                          http://www.carterandcone.comluqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cnmr_=uqoYt8EFEWQXAne.exe, 00000000.00000003.640101915.00000000054DE000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.sajatypeworks.comuqoYt8EFEWQXAne.exe, 00000000.00000003.637920168.00000000054D3000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cn/uqoYt8EFEWQXAne.exe, 00000000.00000003.640101915.00000000054DE000.00000004.00000001.sdmp, uqoYt8EFEWQXAne.exe, 00000000.00000003.640686280.00000000054D8000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.typography.netDuqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/cabarga.htmlNuqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/cTheuqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cnnuqoYt8EFEWQXAne.exe, 00000000.00000003.640371685.00000000054D7000.00000004.00000001.sdmpfalse
                              		unknown
                              http://www.galapagosdesign.com/staff/dennis.htmuqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://fontfabrik.comuqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cnuqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/frere-user.htmluqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
                                		high
                                http://www.ascendercorp.com/typedesigners.htmlmquqoYt8EFEWQXAne.exe, 00000000.00000003.642649855.000000000550D000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.monotype.uqoYt8EFEWQXAne.exe, 00000000.00000003.644430876.0000000005505000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.sajatypeworks.comZuqoYt8EFEWQXAne.exe, 00000000.00000003.637920168.00000000054D3000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/DPleaseuqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers8uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.fonts.comuqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.sandoll.co.kruqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.urwpp.deDPleaseuqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.zhongyicts.com.cnuqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameuqoYt8EFEWQXAne.exe, 00000000.00000002.661591930.0000000002511000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.sajatypeworks.comeuqoYt8EFEWQXAne.exe, 00000000.00000003.637920168.00000000054D3000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.sakkal.comuqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown

                                      Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public

                                      IPDomainCountryFlagASNASN NameMalicious
                                      185.239.242.243
                                      		unknownMoldova Republic of
                                      		55933CLOUDIE-AS-APCloudieLimitedHKtrue

                                      General Information

                                      Joe Sandbox Version:31.0.0 Emerald
                                      Analysis ID:356642
                                      Start date:23.02.2021
                                      Start time:13:53:10
                                      Joe Sandbox Product:CloudBasic
                                      Overall analysis duration:0h 6m 23s
                                      Hypervisor based Inspection enabled:false
                                      Report type:light
                                      Sample file name:uqoYt8EFEWQXAne.exe
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                      Number of analysed new started processes analysed:16
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • HDC enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Detection:MAL
                                      Classification:mal100.troj.evad.winEXE@6/8@0/1
                                      EGA Information:Failed
                                      HDC Information:Failed
                                      HCA Information:
                                      • Successful, ratio: 83%
                                      • Number of executed functions: 0
                                      • Number of non-executed functions: 0
                                      Cookbook Comments:
                                      • Adjust boot time
                                      • Enable AMSI
                                      • Found application associated with file extension: .exe
                                      Warnings:
                                      Show All
                                      • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                      • TCP Packets have been reduced to 100
                                      • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      13:54:00API Interceptor961x Sleep call for process: uqoYt8EFEWQXAne.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      No context

                                      Domains

                                      No context

                                      ASN

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      CLOUDIE-AS-APCloudieLimitedHKNew Order 2021.exeGet hashmaliciousBrowse
                                      • 185.239.242.107
                                      SecuriteInfo.com.Variant.Bulz.361092.25830.exeGet hashmaliciousBrowse
                                      • 185.239.242.107
                                      drWcfynA5k.exeGet hashmaliciousBrowse
                                      • 185.239.242.107
                                      i5Z2XIR5k8.exeGet hashmaliciousBrowse
                                      • 185.239.242.107
                                      receipt.docGet hashmaliciousBrowse
                                      • 185.239.242.107
                                      Purchase Order KVRQ-743012021.docGet hashmaliciousBrowse
                                      • 185.239.242.107
                                      902178.rtfGet hashmaliciousBrowse
                                      • 185.239.242.107
                                      22urmvdx0H.exeGet hashmaliciousBrowse
                                      • 185.239.242.107
                                      Vendor from.docGet hashmaliciousBrowse
                                      • 185.239.242.107
                                      Proforma Invoice.docGet hashmaliciousBrowse
                                      • 185.239.242.107
                                      order170221.exeGet hashmaliciousBrowse
                                      • 185.239.242.107
                                      SecuriteInfo.com.Variant.Bulz.361092.7175.exeGet hashmaliciousBrowse
                                      • 185.239.242.107
                                      SWIFT COPY $27,078.exeGet hashmaliciousBrowse
                                      • 185.239.242.107
                                      kellyx.exeGet hashmaliciousBrowse
                                      • 185.239.242.107
                                      SWIFT COPY 27078.exeGet hashmaliciousBrowse
                                      • 185.239.242.107
                                      Payment Advice 170221.exeGet hashmaliciousBrowse
                                      • 185.239.242.107
                                      ENQUIRY.docGet hashmaliciousBrowse
                                      • 185.239.242.107
                                      SecuriteInfo.com.generic.ml.exeGet hashmaliciousBrowse
                                      • 185.239.242.107
                                      Payment Receipt.jarGet hashmaliciousBrowse
                                      • 185.239.242.107
                                      Paymentadvise.docGet hashmaliciousBrowse
                                      • 185.239.242.107

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\uqoYt8EFEWQXAne.exe.log
                                      Process:C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:modified
                                      Size (bytes):1406
                                      Entropy (8bit):5.341099307467139
                                      Encrypted:false
                                      SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmER:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHg
                                      MD5:E5FA1A53BA6D70E18192AF6AF7CFDBFA
                                      SHA1:1C076481F11366751B8DA795C98A54DE8D1D82D5
                                      SHA-256:1D7BAA6D3EB5A504FD4652BC01A0864DEE898D35D9E29D03EB4A60B0D6405D83
                                      SHA-512:77850814E24DB48E3DDF9DF5B6A8110EE1A823BAABA800F89CD353EAC7F72E48B13F3F4A4DC8E5F0FAA707A7F14ED90577CF1CB106A0422F0BEDD1EFD2E940E4
                                      Malicious:true
                                      Reputation:moderate, very likely benign file
                                      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                      C:\Users\user\AppData\Local\Temp\tmp975D.tmp
                                      Process:C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe
                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1646
                                      Entropy (8bit):5.174690949576107
                                      Encrypted:false
                                      SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGNtn:cbhK79lNQR/rydbz9I3YODOLNdq3W
                                      MD5:126E3B613474ECAA1D9907447AB29E73
                                      SHA1:484AA9F88B924751F236851738B17072A41FAB62
                                      SHA-256:6A3C2131197E5AF173FBE5A0211853F0E6AFED2B1ABDE4129151564B99E60A9F
                                      SHA-512:38C29CE66994092539C130FDF57548FB8B328612F904F59E66BFC120A49C0189B8DD7F600F74B7D2FAD1840440456D0E910382C91B31113ED23EEF06118EA893
                                      Malicious:true
                                      Reputation:low
                                      Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                      Process:C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):1624
                                      Entropy (8bit):7.024371743172393
                                      Encrypted:false
                                      SSDEEP:48:Ik/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrw8:flC0IlC0IlC0IlC0IlC0IlC0IlC08
                                      MD5:0D79388CEC6619D612C2088173BB6741
                                      SHA1:8A312E3198009C545D0CF3254572189D29A03EA7
                                      SHA-256:D7D423B23D932E306F3CCB2F7A984B7036A042C007A43FD655C6B57B960BB8DF
                                      SHA-512:53BB3E9263DFD746E7E8159466E220E6EC9D81E9D3F0E1D191E09CD511B7EB93B0BA65D13CE0C97C652ECD0F69BB991E6B1840F961BC65003C4DD7AA93EEDA13
                                      Malicious:false
                                      Reputation:low
                                      Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
                                      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                      Process:C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):8
                                      Entropy (8bit):3.0
                                      Encrypted:false
                                      SSDEEP:3:qi:qi
                                      MD5:BF504F3876526A01296886A5B4AEE886
                                      SHA1:56FCA050A19081209B611D03FFC486A68B9C368F
                                      SHA-256:DE7C120694DBBFA99B23C197184A0EB2E427EB8934FAD9A699FFC25741118CCC
                                      SHA-512:8D33452D421AEDB9C81F051DAD52A6E1B807FF26779D77790CD57E93E7772CE3AEBCE8067F1F1124B9B7C6AD82CF89EDBDD3F1F37FBD0FA0C9637000FF493FDD
                                      Malicious:true
                                      Reputation:low
                                      Preview: 7......H
                                      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                      Process:C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):40
                                      Entropy (8bit):5.153055907333276
                                      Encrypted:false
                                      SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                                      MD5:4E5E92E2369688041CC82EF9650EDED2
                                      SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                                      SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                                      SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                                      Malicious:false
                                      Reputation:moderate, very likely benign file
                                      Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
                                      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                      Process:C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):327432
                                      Entropy (8bit):7.99938831605763
                                      Encrypted:true
                                      SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                                      MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                                      SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                                      SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                                      SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                                      Malicious:false
                                      Reputation:moderate, very likely benign file
                                      Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                                      C:\Users\user\AppData\Roaming\krPtdhRIieabB.exe
                                      Process:C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):527872
                                      Entropy (8bit):7.482730571721643
                                      Encrypted:false
                                      SSDEEP:12288:r+3HmKMLTOvaFESR5s87FvE4N4zjtx0qm5eINJPvu:aH4L5dR5s87FvOjtxhm5eIrnu
                                      MD5:C415765EF678428F502B101039B7D495
                                      SHA1:E5458FF58B98401D715A68A67AFABDEFAAF2EDC3
                                      SHA-256:C024E649AFAAFD4D1A1EBC2C5A2C457EECD2B5994C2B78E32312EB5289B5C093
                                      SHA-512:859DEB240D2E8EE1B5CC057AA63B0F8D49FEC83619B4C346821B09EFA5B9FCA01FB85396045658860468107F9A19A8710DB85C2C7B299351F6225C64034F2D8C
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 32%
                                      Reputation:low
                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... .4`..............P.................. ... ....@.. .......................`............@.................................h...O.... ..P....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H........x...S...............J...........................................0............(....(..........(.....o ....*.....................(!......("......(#......($......(%....*N..(....o....(&....*&..('....*.s(........s)........s*........s+........s,........*....0...........~....o-....+..*.0...........~....o.....+..*.0...........~....o/....+..*.0...........~....o0....+..*.0...........~....o1....+..*.0..<........~.....(2.....,!r...p.....(3...o4...s5............~.....+..*.0......
                                      C:\Users\user\AppData\Roaming\krPtdhRIieabB.exe:Zone.Identifier
                                      Process:C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):26
                                      Entropy (8bit):3.95006375643621
                                      Encrypted:false
                                      SSDEEP:3:ggPYV:rPYV
                                      MD5:187F488E27DB4AF347237FE461A079AD
                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                      Malicious:true
                                      Reputation:high, very likely benign file
                                      Preview: [ZoneTransfer]....ZoneId=0

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Entropy (8bit):7.482730571721643
                                      TrID:
                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                      • Win32 Executable (generic) a (10002005/4) 49.75%
                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                      • Windows Screen Saver (13104/52) 0.07%
                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                      File name:uqoYt8EFEWQXAne.exe
                                      File size:527872
                                      MD5:c415765ef678428f502b101039b7d495
                                      SHA1:e5458ff58b98401d715a68a67afabdefaaf2edc3
                                      SHA256:c024e649afaafd4d1a1ebc2c5a2c457eecd2b5994c2b78e32312eb5289b5c093
                                      SHA512:859deb240d2e8ee1b5cc057aa63b0f8d49fec83619b4c346821b09efa5b9fca01fb85396045658860468107f9a19a8710db85c2c7b299351f6225c64034f2d8c
                                      SSDEEP:12288:r+3HmKMLTOvaFESR5s87FvE4N4zjtx0qm5eINJPvu:aH4L5dR5s87FvOjtxhm5eIrnu
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... .4`..............P.................. ... ....@.. .......................`............@................................

                                      File Icon

                                      Icon Hash:00828e8e8686b000

                                      Static PE Info

                                      General

                                      Entrypoint:0x4816ba
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                      Time Stamp:0x60349B20 [Tue Feb 23 06:05:20 2021 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:v4.0.30319
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                      Entrypoint Preview

                                      Instruction
                                      jmp dword ptr [00402000h]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x816680x4f.text
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x820000x1050.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x840000xc.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x20000x7f6c00x7f800False0.772669653799data7.49785747568IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                      .rsrc0x820000x10500x1200False0.361979166667data4.73273150028IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0x840000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountry
                                      RT_VERSION0x820900x39cdata
                                      RT_MANIFEST0x8243c0xc0fXML 1.0 document, UTF-8 Unicode (with BOM) text

                                      Imports

                                      DLLImport
                                      mscoree.dll_CorExeMain

                                      Version Infos

                                      DescriptionData
                                      Translation0x0000 0x04b0
                                      LegalCopyrightCopyright 2018
                                      Assembly Version1.0.0.0
                                      InternalNameIsolatedStorageFilePermissionAttribute.exe
                                      FileVersion1.0.0.0
                                      CompanyName
                                      LegalTrademarks
                                      Comments
                                      ProductNameRegisterVB
                                      ProductVersion1.0.0.0
                                      FileDescriptionRegisterVB
                                      OriginalFilenameIsolatedStorageFilePermissionAttribute.exe

                                      Network Behavior

                                      Snort IDS Alerts

                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                      02/23/21-13:54:08.510703TCP2025019ET TROJAN Possible NanoCore C2 60B497452010192.168.2.4185.239.242.243
                                      02/23/21-13:54:15.977491TCP2025019ET TROJAN Possible NanoCore C2 60B497472010192.168.2.4185.239.242.243
                                      02/23/21-13:54:22.849012TCP2025019ET TROJAN Possible NanoCore C2 60B497502010192.168.2.4185.239.242.243
                                      02/23/21-13:54:28.855800TCP2025019ET TROJAN Possible NanoCore C2 60B497512010192.168.2.4185.239.242.243
                                      02/23/21-13:54:34.873087TCP2025019ET TROJAN Possible NanoCore C2 60B497592010192.168.2.4185.239.242.243
                                      02/23/21-13:54:41.879231TCP2025019ET TROJAN Possible NanoCore C2 60B497642010192.168.2.4185.239.242.243
                                      02/23/21-13:54:49.259735TCP2025019ET TROJAN Possible NanoCore C2 60B497662010192.168.2.4185.239.242.243
                                      02/23/21-13:54:55.260046TCP2025019ET TROJAN Possible NanoCore C2 60B497752010192.168.2.4185.239.242.243
                                      02/23/21-13:55:01.369094TCP2025019ET TROJAN Possible NanoCore C2 60B497762010192.168.2.4185.239.242.243
                                      02/23/21-13:55:07.366934TCP2025019ET TROJAN Possible NanoCore C2 60B497772010192.168.2.4185.239.242.243
                                      02/23/21-13:55:13.420841TCP2025019ET TROJAN Possible NanoCore C2 60B497782010192.168.2.4185.239.242.243
                                      02/23/21-13:55:20.360587TCP2025019ET TROJAN Possible NanoCore C2 60B497792010192.168.2.4185.239.242.243
                                      02/23/21-13:55:25.416649TCP2025019ET TROJAN Possible NanoCore C2 60B497802010192.168.2.4185.239.242.243
                                      02/23/21-13:55:30.452441TCP2025019ET TROJAN Possible NanoCore C2 60B497832010192.168.2.4185.239.242.243
                                      02/23/21-13:55:36.509869TCP2025019ET TROJAN Possible NanoCore C2 60B497842010192.168.2.4185.239.242.243
                                      02/23/21-13:55:43.477164TCP2025019ET TROJAN Possible NanoCore C2 60B497852010192.168.2.4185.239.242.243
                                      02/23/21-13:55:49.502138TCP2025019ET TROJAN Possible NanoCore C2 60B497862010192.168.2.4185.239.242.243
                                      02/23/21-13:55:56.520609TCP2025019ET TROJAN Possible NanoCore C2 60B497872010192.168.2.4185.239.242.243

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Feb 23, 2021 13:54:08.235266924 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:08.401680946 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:08.401907921 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:08.510703087 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:08.689546108 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:08.701209068 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:08.864763975 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:08.917184114 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.171945095 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.381033897 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.381109953 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.419231892 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.419270992 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.419301987 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.419316053 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.419328928 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.419353008 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.419373035 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.419378042 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.419401884 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.419403076 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.419426918 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.419430017 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.419450045 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.419464111 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.419475079 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.419506073 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.419536114 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.582185984 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.582245111 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.582283974 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.582321882 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.582343102 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.582360029 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.582375050 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.582410097 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.582453966 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.582468033 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.582495928 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.582535028 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.582572937 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.582604885 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.582611084 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.582628012 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.582652092 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.582690954 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.582709074 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.582740068 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.582787991 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.582824945 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.582834959 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.582865000 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.582878113 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.582906961 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.582945108 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.582957983 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.582986116 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.583064079 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.745871067 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.745958090 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746004105 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746042967 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746038914 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.746082067 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.746083975 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746124983 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746161938 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746172905 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.746202946 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746243000 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746289015 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.746292114 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746330976 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.746335983 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746378899 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746417046 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746450901 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.746454954 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746490002 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.746495008 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746535063 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746573925 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746611118 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.746620893 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746656895 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.746665001 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746702909 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746750116 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746788025 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746788979 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.746824026 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.746826887 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746866941 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746906042 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746942043 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.746953964 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746992111 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.746998072 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.747036934 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.747076035 CET201049745185.239.242.243192.168.2.4

                                      Code Manipulations

                                      Statistics

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      Analysis Process: uqoYt8EFEWQXAne.exe PID: 7160 Parent PID: 6084

                                      General

                                      Start time:13:53:52
                                      Start date:23/02/2021
                                      Path:C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe
                                      Wow64 process (32bit):true
                                      Commandline:'C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe'
                                      Imagebase:0x150000
                                      File size:527872 bytes
                                      MD5 hash:C415765EF678428F502B101039B7D495
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Yara matches:
                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.661591930.0000000002511000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.661683281.0000000002599000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.662828873.0000000003794000.00000004.00000001.sdmp, Author: Florian Roth
                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.662828873.0000000003794000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.662828873.0000000003794000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                      Reputation:low

                                      Analysis Process: schtasks.exe PID: 3984 Parent PID: 7160

                                      General

                                      Start time:13:54:03
                                      Start date:23/02/2021
                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                      Wow64 process (32bit):true
                                      Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\krPtdhRIieabB' /XML 'C:\Users\user\AppData\Local\Temp\tmp975D.tmp'
                                      Imagebase:0xa00000
                                      File size:185856 bytes
                                      MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      Analysis Process: conhost.exe PID: 4680 Parent PID: 3984

                                      General

                                      Start time:13:54:03
                                      Start date:23/02/2021
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff724c50000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      Analysis Process: uqoYt8EFEWQXAne.exe PID: 3040 Parent PID: 7160

                                      General

                                      Start time:13:54:04
                                      Start date:23/02/2021
                                      Path:C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe
                                      Imagebase:0x700000
                                      File size:527872 bytes
                                      MD5 hash:C415765EF678428F502B101039B7D495
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Reputation:low

                                      Disassembly

                                      Code Analysis

                                      Reset < >