Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report J62DQ7fO0b.exe

Overview

General Information

Sample Name:J62DQ7fO0b.exe
Analysis ID:384486
MD5:a74ece32bc1b6db38a2d379c7fc78d2c
SHA1:25ea63e67b842641e57bc5b405ea51ec9c6beb5b
SHA256:20e490afba639ea251a2f095a8b9b85e1b9922ff6d8b6f47ceb567ba62521a28
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

Startup

  • System is w10x64
  • J62DQ7fO0b.exe (PID: 6516 cmdline: 'C:\Users\user\Desktop\J62DQ7fO0b.exe' MD5: A74ECE32BC1B6DB38A2D379C7FC78D2C)
    • schtasks.exe (PID: 6628 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tHyARuOEdFlN' /XML 'C:\Users\user\AppData\Local\Temp\tmpC6A9.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 6672 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • dhcpmon.exe (PID: 7068 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 7092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "f57d5a77-8670-45ef-b736-5f3a07b6", "Group": "Addora", "Domain1": "79.134.225.30", "Domain2": "nassiru1155.ddns.net", "Port": 1144, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.671018247.0000000002ECB000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000000.00000002.674143460.0000000003E7C000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1177b5:$x1: NanoCore.ClientPluginHost
    • 0x149fd5:$x1: NanoCore.ClientPluginHost
    • 0x1177f2:$x2: IClientNetworkHost
    • 0x14a012:$x2: IClientNetworkHost
    • 0x11b325:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x14db45:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000000.00000002.674143460.0000000003E7C000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000000.00000002.674143460.0000000003E7C000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x11751d:$a: NanoCore
      • 0x11752d:$a: NanoCore
      • 0x117761:$a: NanoCore
      • 0x117775:$a: NanoCore
      • 0x1177b5:$a: NanoCore
      • 0x149d3d:$a: NanoCore
      • 0x149d4d:$a: NanoCore
      • 0x149f81:$a: NanoCore
      • 0x149f95:$a: NanoCore
      • 0x149fd5:$a: NanoCore
      • 0x11757c:$b: ClientPlugin
      • 0x11777e:$b: ClientPlugin
      • 0x1177be:$b: ClientPlugin
      • 0x149d9c:$b: ClientPlugin
      • 0x149f9e:$b: ClientPlugin
      • 0x149fde:$b: ClientPlugin
      • 0x1176a3:$c: ProjectData
      • 0x149ec3:$c: ProjectData
      • 0x1180aa:$d: DESCrypto
      • 0x14a8ca:$d: DESCrypto
      • 0x11fa76:$e: KeepAlive
      Process Memory Space: J62DQ7fO0b.exe PID: 6516JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.J62DQ7fO0b.exe.3f83628.1.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x429ad:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x429ea:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        • 0x4651d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        0.2.J62DQ7fO0b.exe.3f83628.1.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          0.2.J62DQ7fO0b.exe.3f83628.1.raw.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
          • 0xfef5:$a: NanoCore
          • 0xff05:$a: NanoCore
          • 0x10139:$a: NanoCore
          • 0x1014d:$a: NanoCore
          • 0x1018d:$a: NanoCore
          • 0x42715:$a: NanoCore
          • 0x42725:$a: NanoCore
          • 0x42959:$a: NanoCore
          • 0x4296d:$a: NanoCore
          • 0x429ad:$a: NanoCore
          • 0xff54:$b: ClientPlugin
          • 0x10156:$b: ClientPlugin
          • 0x10196:$b: ClientPlugin
          • 0x42774:$b: ClientPlugin
          • 0x42976:$b: ClientPlugin
          • 0x429b6:$b: ClientPlugin
          • 0x1007b:$c: ProjectData
          • 0x4289b:$c: ProjectData
          • 0x10a82:$d: DESCrypto
          • 0x432a2:$d: DESCrypto
          • 0x1844e:$e: KeepAlive
          0.2.J62DQ7fO0b.exe.3f83628.1.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0xe38d:$x1: NanoCore.ClientPluginHost
          • 0xe3ca:$x2: IClientNetworkHost
          • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
          0.2.J62DQ7fO0b.exe.3f83628.1.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
          • 0xe105:$x1: NanoCore Client.exe
          • 0xe38d:$x2: NanoCore.ClientPluginHost
          • 0xf9c6:$s1: PluginCommand
          • 0xf9ba:$s2: FileCommand
          • 0x1086b:$s3: PipeExists
          • 0x16622:$s4: PipeCreated
          • 0xe3b7:$s5: IClientLoggingHost
          Click to see the 2 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6672, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tHyARuOEdFlN' /XML 'C:\Users\user\AppData\Local\Temp\tmpC6A9.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tHyARuOEdFlN' /XML 'C:\Users\user\AppData\Local\Temp\tmpC6A9.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\J62DQ7fO0b.exe' , ParentImage: C:\Users\user\Desktop\J62DQ7fO0b.exe, ParentProcessId: 6516, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tHyARuOEdFlN' /XML 'C:\Users\user\AppData\Local\Temp\tmpC6A9.tmp', ProcessId: 6628

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0.2.J62DQ7fO0b.exe.3f83628.1.raw.unpackMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "f57d5a77-8670-45ef-b736-5f3a07b6", "Group": "Addora", "Domain1": "79.134.225.30", "Domain2": "nassiru1155.ddns.net", "Port": 1144, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000000.00000002.674143460.0000000003E7C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.J62DQ7fO0b.exe.3f83628.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.J62DQ7fO0b.exe.3f83628.1.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\tHyARuOEdFlN.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: J62DQ7fO0b.exeJoe Sandbox ML: detected
          Source: J62DQ7fO0b.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: J62DQ7fO0b.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000003.00000003.671469676.0000000001120000.00000004.00000001.sdmp, dhcpmon.exe, 00000005.00000000.699290873.00000000008C2000.00000002.00020000.sdmp, dhcpmon.exe.3.dr
          Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000003.00000003.671469676.0000000001120000.00000004.00000001.sdmp, dhcpmon.exe, dhcpmon.exe.3.dr
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49725 -> 79.134.225.30:1144
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49734 -> 79.134.225.30:1144
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49736 -> 79.134.225.30:1144
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49739 -> 79.134.225.30:1144
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49740 -> 79.134.225.30:1144
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49742 -> 79.134.225.30:1144
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49745 -> 79.134.225.30:1144
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49752 -> 79.134.225.30:1144
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49756 -> 79.134.225.30:1144
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49757 -> 79.134.225.30:1144
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49758 -> 79.134.225.30:1144
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49761 -> 79.134.225.30:1144
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49763 -> 79.134.225.30:1144
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49769 -> 79.134.225.30:1144
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49770 -> 79.134.225.30:1144
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49771 -> 79.134.225.30:1144
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49772 -> 79.134.225.30:1144
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: nassiru1155.ddns.net
          Source: Malware configuration extractorURLs: 79.134.225.30
          Source: global trafficTCP traffic: 192.168.2.4:49725 -> 79.134.225.30:1144
          Source: Joe Sandbox ViewIP Address: 79.134.225.30 79.134.225.30
          Source: Joe Sandbox ViewASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.30
          Source: J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: J62DQ7fO0b.exe, 00000000.00000002.670741597.0000000002E71000.00000004.00000001.sdmp, J62DQ7fO0b.exe, 00000000.00000002.671216367.0000000002F1A000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: J62DQ7fO0b.exe, 00000000.00000002.671216367.0000000002F1A000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4
          Source: J62DQ7fO0b.exe, 00000000.00000003.642142169.000000000146B000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: J62DQ7fO0b.exe, 00000000.00000003.642738927.0000000005EAF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
          Source: J62DQ7fO0b.exe, 00000000.00000003.642529232.0000000005EA2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comCQ
          Source: J62DQ7fO0b.exe, 00000000.00000003.642738927.0000000005EAF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comMic&
          Source: J62DQ7fO0b.exe, 00000000.00000003.642529232.0000000005EA2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
          Source: J62DQ7fO0b.exe, 00000000.00000003.642738927.0000000005EAF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comams
          Source: J62DQ7fO0b.exe, 00000000.00000003.642529232.0000000005EA2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comand
          Source: J62DQ7fO0b.exe, 00000000.00000003.642529232.0000000005EA2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comen
          Source: J62DQ7fO0b.exe, 00000000.00000003.642529232.0000000005EA2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comext
          Source: J62DQ7fO0b.exe, 00000000.00000003.642529232.0000000005EA2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comhe
          Source: J62DQ7fO0b.exe, 00000000.00000003.642529232.0000000005EA2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comily
          Source: J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: J62DQ7fO0b.exe, 00000000.00000003.642529232.0000000005EA2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comol
          Source: J62DQ7fO0b.exe, 00000000.00000003.642529232.0000000005EA2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comsofz
          Source: J62DQ7fO0b.exe, 00000000.00000003.642529232.0000000005EA2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comtk
          Source: J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: J62DQ7fO0b.exe, 00000000.00000002.669671162.0000000001460000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comt
          Source: J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: J62DQ7fO0b.exe, 00000000.00000003.641650393.0000000005EA9000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: J62DQ7fO0b.exe, 00000000.00000003.641998608.0000000005EAC000.00000004.00000001.sdmp, J62DQ7fO0b.exe, 00000000.00000003.641490648.0000000005EDD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
          Source: J62DQ7fO0b.exe, 00000000.00000003.641873996.000000000146B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/-e
          Source: J62DQ7fO0b.exe, 00000000.00000003.641496129.0000000005EA6000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/a
          Source: J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: J62DQ7fO0b.exe, 00000000.00000003.641650393.0000000005EA9000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnF
          Source: J62DQ7fO0b.exe, 00000000.00000003.641650393.0000000005EA9000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnbli
          Source: J62DQ7fO0b.exe, 00000000.00000003.641627718.0000000005EA6000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnbliQ
          Source: J62DQ7fO0b.exe, 00000000.00000003.641710944.000000000146B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnivZ
          Source: J62DQ7fO0b.exe, 00000000.00000003.641710944.000000000146B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnporF
          Source: J62DQ7fO0b.exe, 00000000.00000003.646392618.0000000005EE5000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
          Source: J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: J62DQ7fO0b.exe, 00000000.00000003.641496129.0000000005EA6000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr_4F
          Source: J62DQ7fO0b.exe, 00000000.00000003.641496129.0000000005EA6000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krkrF
          Source: J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: J62DQ7fO0b.exe, 00000000.00000003.646317309.0000000005EE5000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
          Source: J62DQ7fO0b.exe, 00000000.00000003.646271163.0000000005EE5000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.=
          Source: J62DQ7fO0b.exe, 00000000.00000003.646942158.0000000005EE5000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.B
          Source: J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: J62DQ7fO0b.exe, 00000000.00000003.641496129.0000000005EA6000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krF
          Source: J62DQ7fO0b.exe, 00000000.00000003.641496129.0000000005EA6000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kro.kr-d
          Source: J62DQ7fO0b.exe, 00000000.00000003.641496129.0000000005EA6000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krpl
          Source: J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: J62DQ7fO0b.exe, 00000000.00000003.642529232.0000000005EA2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: J62DQ7fO0b.exe, 00000000.00000002.671018247.0000000002ECB000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

          E-Banking Fraud:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000000.00000002.674143460.0000000003E7C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.J62DQ7fO0b.exe.3f83628.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.J62DQ7fO0b.exe.3f83628.1.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000000.00000002.674143460.0000000003E7C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.674143460.0000000003E7C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0.2.J62DQ7fO0b.exe.3f83628.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.J62DQ7fO0b.exe.3f83628.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0.2.J62DQ7fO0b.exe.3f83628.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.J62DQ7fO0b.exe.3f83628.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeCode function: 0_2_07975BA0 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeCode function: 0_2_07975B99 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeCode function: 0_2_052BD400
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeCode function: 0_2_052BB184
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeCode function: 0_2_052BDAC1
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeCode function: 0_2_052BC1D0
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeCode function: 0_2_052BB178
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeCode function: 0_2_052BDE70
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeCode function: 0_2_052B7EE2
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeCode function: 0_2_052B98B0
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeCode function: 0_2_07975EBA
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeCode function: 0_2_07970D00
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeCode function: 0_2_0797B548
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeCode function: 0_2_0797C348
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeCode function: 0_2_0797B1E0
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeCode function: 0_2_07974120
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeCode function: 0_2_07975950
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeCode function: 0_2_079777D1
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeCode function: 0_2_079777E0
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeCode function: 0_2_079706D0
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeCode function: 0_2_079706C3
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeCode function: 0_2_0797CD10
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeCode function: 0_2_07970CF0
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeCode function: 0_2_07977330
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeCode function: 0_2_07970B38
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeCode function: 0_2_07977320
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeCode function: 0_2_07970B2B
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeCode function: 0_2_07977ACA
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeCode function: 0_2_079772E0
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeCode function: 0_2_07974A30
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeCode function: 0_2_079749E0
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeCode function: 0_2_0797D118
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeCode function: 0_2_0797410F
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeCode function: 0_2_07975150
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeCode function: 0_2_07975140
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeCode function: 0_2_07975940
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeCode function: 0_2_079708D8
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeCode function: 0_2_079708C8
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeCode function: 0_2_079750F8
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeCode function: 0_2_07970006
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeCode function: 0_2_0797185F
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeCode function: 0_2_07970040
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeCode function: 0_2_07971860
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeCode function: 0_2_0F741280
          Source: J62DQ7fO0b.exe, 00000000.00000002.667985165.0000000000B5B000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIBindableIterable.exe( vs J62DQ7fO0b.exe
          Source: J62DQ7fO0b.exe, 00000000.00000002.674685725.00000000040A7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll" vs J62DQ7fO0b.exe
          Source: J62DQ7fO0b.exe, 00000000.00000002.682513311.000000000F220000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs J62DQ7fO0b.exe
          Source: J62DQ7fO0b.exe, 00000000.00000002.682735920.000000000F320000.00000002.00000001.sdmpBinary or memory string: originalfilename vs J62DQ7fO0b.exe
          Source: J62DQ7fO0b.exe, 00000000.00000002.682735920.000000000F320000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs J62DQ7fO0b.exe
          Source: J62DQ7fO0b.exe, 00000000.00000002.679359494.0000000007910000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll2 vs J62DQ7fO0b.exe
          Source: J62DQ7fO0b.exeBinary or memory string: OriginalFilenameIBindableIterable.exe( vs J62DQ7fO0b.exe
          Source: J62DQ7fO0b.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: 00000000.00000002.674143460.0000000003E7C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000000.00000002.674143460.0000000003E7C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0.2.J62DQ7fO0b.exe.3f83628.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0.2.J62DQ7fO0b.exe.3f83628.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0.2.J62DQ7fO0b.exe.3f83628.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0.2.J62DQ7fO0b.exe.3f83628.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.J62DQ7fO0b.exe.3f83628.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/11@0/1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeFile created: C:\Users\user\AppData\Roaming\tHyARuOEdFlN.exeJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6636:120:WilError_01
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeMutant created: \Sessions\1\BaseNamedObjects\KQdgwQc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{f57d5a77-8670-45ef-b736-5f3a07b68725}
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7092:120:WilError_01
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeFile created: C:\Users\user\AppData\Local\Temp\tmpC6A9.tmpJump to behavior
          Source: J62DQ7fO0b.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: J62DQ7fO0b.exe, 00000000.00000002.671018247.0000000002ECB000.00000004.00000001.sdmpBinary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
          Source: J62DQ7fO0b.exe, 00000000.00000002.671018247.0000000002ECB000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
          Source: J62DQ7fO0b.exe, 00000000.00000002.671018247.0000000002ECB000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: J62DQ7fO0b.exe, 00000000.00000002.671018247.0000000002ECB000.00000004.00000001.sdmpBinary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
          Source: J62DQ7fO0b.exe, 00000000.00000002.671018247.0000000002ECB000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
          Source: J62DQ7fO0b.exe, 00000000.00000002.671018247.0000000002ECB000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
          Source: J62DQ7fO0b.exe, 00000000.00000002.671018247.0000000002ECB000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeFile read: C:\Users\user\Desktop\J62DQ7fO0b.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\J62DQ7fO0b.exe 'C:\Users\user\Desktop\J62DQ7fO0b.exe'
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tHyARuOEdFlN' /XML 'C:\Users\user\AppData\Local\Temp\tmpC6A9.tmp'
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tHyARuOEdFlN' /XML 'C:\Users\user\AppData\Local\Temp\tmpC6A9.tmp'
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: J62DQ7fO0b.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: J62DQ7fO0b.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: J62DQ7fO0b.exeStatic file information: File size 1865728 > 1048576
          Source: J62DQ7fO0b.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x15d200
          Source: J62DQ7fO0b.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000003.00000003.671469676.0000000001120000.00000004.00000001.sdmp, dhcpmon.exe, 00000005.00000000.699290873.00000000008C2000.00000002.00020000.sdmp, dhcpmon.exe.3.dr
          Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000003.00000003.671469676.0000000001120000.00000004.00000001.sdmp, dhcpmon.exe, dhcpmon.exe.3.dr
          Source: initial sampleStatic PE information: section name: .text entropy: 7.5077416615
          Source: initial sampleStatic PE information: section name: .text entropy: 7.5077416615
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeFile created: C:\Users\user\AppData\Roaming\tHyARuOEdFlN.exeJump to dropped file
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tHyARuOEdFlN' /XML 'C:\Users\user\AppData\Local\Temp\tmpC6A9.tmp'

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe:Zone.Identifier read attributes | delete
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 00000000.00000002.671018247.0000000002ECB000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: J62DQ7fO0b.exe PID: 6516, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: J62DQ7fO0b.exe, 00000000.00000002.671018247.0000000002ECB000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: J62DQ7fO0b.exe, 00000000.00000002.671018247.0000000002ECB000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1301
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 8321
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: foregroundWindowGot 736
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: foregroundWindowGot 630
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exe TID: 6520Thread sleep time: -103490s >= -30000s
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exe TID: 6536Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7136Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeThread delayed: delay time: 103490
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: J62DQ7fO0b.exe, 00000000.00000002.671018247.0000000002ECB000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: J62DQ7fO0b.exe, 00000000.00000002.671018247.0000000002ECB000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: J62DQ7fO0b.exe, 00000000.00000002.671018247.0000000002ECB000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: RegSvcs.exe, 00000003.00000003.697272033.0000000001183000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllS
          Source: J62DQ7fO0b.exe, 00000000.00000002.671018247.0000000002ECB000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
          Source: J62DQ7fO0b.exe, 00000000.00000002.671018247.0000000002ECB000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: J62DQ7fO0b.exe, 00000000.00000002.671018247.0000000002ECB000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: J62DQ7fO0b.exe, 00000000.00000002.671018247.0000000002ECB000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: J62DQ7fO0b.exe, 00000000.00000002.671018247.0000000002ECB000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: J62DQ7fO0b.exe, 00000000.00000002.671018247.0000000002ECB000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A
          Writes to foreign memory regionsShow sources
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 420000
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 422000
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: DF9008
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tHyARuOEdFlN' /XML 'C:\Users\user\AppData\Local\Temp\tmpC6A9.tmp'
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Users\user\Desktop\J62DQ7fO0b.exe VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
          Source: C:\Users\user\Desktop\J62DQ7fO0b.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

          Stealing of Sensitive Information:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000000.00000002.674143460.0000000003E7C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.J62DQ7fO0b.exe.3f83628.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.J62DQ7fO0b.exe.3f83628.1.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Detected Nanocore RatShow sources
          Source: RegSvcs.exe, 00000003.00000003.681337779.0000000006902000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000000.00000002.674143460.0000000003E7C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.J62DQ7fO0b.exe.3f83628.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.J62DQ7fO0b.exe.3f83628.1.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Process Injection211Masquerading2OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemorySecurity Software Discovery121Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection211NTDSVirtualization/Sandbox Evasion31Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptHidden Files and Directories1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing1DCSyncSystem Information Discovery12Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 384486 Sample: J62DQ7fO0b.exe Startdate: 09/04/2021 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 9 other signatures 2->44 7 J62DQ7fO0b.exe 7 2->7         started        11 dhcpmon.exe 2 2->11         started        process3 file4 24 C:\Users\user\AppData\...\tHyARuOEdFlN.exe, PE32 7->24 dropped 26 C:\Users\...\tHyARuOEdFlN.exe:Zone.Identifier, ASCII 7->26 dropped 28 C:\Users\user\AppData\Local\...\tmpC6A9.tmp, XML 7->28 dropped 30 C:\Users\user\AppData\...\J62DQ7fO0b.exe.log, ASCII 7->30 dropped 46 Uses schtasks.exe or at.exe to add and modify task schedules 7->46 48 Writes to foreign memory regions 7->48 50 Injects a PE file into a foreign processes 7->50 13 RegSvcs.exe 1 11 7->13         started        18 schtasks.exe 1 7->18         started        20 conhost.exe 11->20         started        signatures5 process6 dnsIp7 36 79.134.225.30, 1144, 49725, 49734 FINK-TELECOM-SERVICESCH Switzerland 13->36 32 C:\Users\user\AppData\Roaming\...\run.dat, Dyalog 13->32 dropped 34 C:\Program Files (x86)\...\dhcpmon.exe, PE32 13->34 dropped 52 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->52 22 conhost.exe 18->22         started        file8 signatures9 process10

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          J62DQ7fO0b.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\tHyARuOEdFlN.exe100%Joe Sandbox ML
          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%MetadefenderBrowse
          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%ReversingLabs

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          nassiru1155.ddns.net0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cnporF0%Avira URL Cloudsafe
          http://www.founder.com.cn/cnbli0%Avira URL Cloudsafe
          http://www.carterandcone.comams0%Avira URL Cloudsafe
          http://www.carterandcone.comen0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.com0%URL Reputationsafe
          http://www.carterandcone.com0%URL Reputationsafe
          http://www.carterandcone.com0%URL Reputationsafe
          http://www.founder.com.cn/cnF0%Avira URL Cloudsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn/-e0%Avira URL Cloudsafe
          http://www.carterandcone.comily0%Avira URL Cloudsafe
          http://www.carterandcone.comsofz0%Avira URL Cloudsafe
          http://www.carterandcone.comMic&0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/a0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.carterandcone.comext0%Avira URL Cloudsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.krF0%Avira URL Cloudsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.sandoll.co.krpl0%Avira URL Cloudsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.founder.com.cn/cnivZ0%Avira URL Cloudsafe
          http://www.carterandcone.comtk0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/0%URL Reputationsafe
          http://www.galapagosdesign.com/0%URL Reputationsafe
          http://www.galapagosdesign.com/0%URL Reputationsafe
          http://www.sandoll.co.kro.kr-d0%Avira URL Cloudsafe
          http://www.carterandcone.comTC0%URL Reputationsafe
          http://www.carterandcone.comTC0%URL Reputationsafe
          http://www.carterandcone.comTC0%URL Reputationsafe
          http://www.carterandcone.comCQ0%Avira URL Cloudsafe
          http://www.goodfont.co.kr_4F0%Avira URL Cloudsafe
          79.134.225.300%Avira URL Cloudsafe
          http://www.carterandcone.comhe0%Avira URL Cloudsafe
          http://www.goodfont.co.krkrF0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.founder.com.cn/cn/0%URL Reputationsafe
          http://www.founder.com.cn/cn/0%URL Reputationsafe
          http://www.founder.com.cn/cn/0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.monotype.0%URL Reputationsafe
          http://www.monotype.0%URL Reputationsafe
          http://www.monotype.0%URL Reputationsafe
          http://www.fontbureau.comt0%URL Reputationsafe
          http://www.fontbureau.comt0%URL Reputationsafe
          http://www.fontbureau.comt0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.founder.com.cn/cnbliQ0%Avira URL Cloudsafe
          http://www.monotype.B0%Avira URL Cloudsafe
          http://www.monotype.=0%Avira URL Cloudsafe
          http://www.carterandcone.comand0%Avira URL Cloudsafe
          http://www.carterandcone.comol0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          No contacted domains info

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          nassiru1155.ddns.nettrue
          • Avira URL Cloud: safe
          		unknown
          79.134.225.30true
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.fontbureau.com/designersGJ62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmpfalse
            		high
            http://www.fontbureau.com/designers/?J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmpfalse
              		high
              http://www.founder.com.cn/cn/bTheJ62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://www.founder.com.cn/cnporFJ62DQ7fO0b.exe, 00000000.00000003.641710944.000000000146B000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.fontbureau.com/designers?J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmpfalse
                		high
                http://www.founder.com.cn/cnbliJ62DQ7fO0b.exe, 00000000.00000003.641650393.0000000005EA9000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.carterandcone.comamsJ62DQ7fO0b.exe, 00000000.00000003.642738927.0000000005EAF000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.carterandcone.comenJ62DQ7fO0b.exe, 00000000.00000003.642529232.0000000005EA2000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4J62DQ7fO0b.exe, 00000000.00000002.671216367.0000000002F1A000.00000004.00000001.sdmpfalse
                  		high
                  http://www.tiro.comJ62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designersJ62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmpfalse
                    		high
                    http://www.goodfont.co.krJ62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.carterandcone.comJ62DQ7fO0b.exe, 00000000.00000003.642738927.0000000005EAF000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cnFJ62DQ7fO0b.exe, 00000000.00000003.641650393.0000000005EA9000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssJ62DQ7fO0b.exe, 00000000.00000002.671018247.0000000002ECB000.00000004.00000001.sdmpfalse
                      		high
                      http://www.sajatypeworks.comJ62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.typography.netDJ62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cn/cTheJ62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.galapagosdesign.com/staff/dennis.htmJ62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://fontfabrik.comJ62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cn/-eJ62DQ7fO0b.exe, 00000000.00000003.641873996.000000000146B000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.carterandcone.comilyJ62DQ7fO0b.exe, 00000000.00000003.642529232.0000000005EA2000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.carterandcone.comsofzJ62DQ7fO0b.exe, 00000000.00000003.642529232.0000000005EA2000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.carterandcone.comMic&J62DQ7fO0b.exe, 00000000.00000003.642738927.0000000005EAF000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.founder.com.cn/cn/aJ62DQ7fO0b.exe, 00000000.00000003.641496129.0000000005EA6000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.galapagosdesign.com/DPleaseJ62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.carterandcone.comextJ62DQ7fO0b.exe, 00000000.00000003.642529232.0000000005EA2000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fonts.comJ62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmpfalse
                        		high
                        http://www.sandoll.co.krJ62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.sandoll.co.krFJ62DQ7fO0b.exe, 00000000.00000003.641496129.0000000005EA6000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.urwpp.deDPleaseJ62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.sandoll.co.krplJ62DQ7fO0b.exe, 00000000.00000003.641496129.0000000005EA6000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.zhongyicts.com.cnJ62DQ7fO0b.exe, 00000000.00000003.642529232.0000000005EA2000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameJ62DQ7fO0b.exe, 00000000.00000002.670741597.0000000002E71000.00000004.00000001.sdmp, J62DQ7fO0b.exe, 00000000.00000002.671216367.0000000002F1A000.00000004.00000001.sdmpfalse
                          		high
                          http://www.sakkal.comJ62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cnivZJ62DQ7fO0b.exe, 00000000.00000003.641710944.000000000146B000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.carterandcone.comtkJ62DQ7fO0b.exe, 00000000.00000003.642529232.0000000005EA2000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.apache.org/licenses/LICENSE-2.0J62DQ7fO0b.exe, 00000000.00000003.642142169.000000000146B000.00000004.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.comJ62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmpfalse
                              		high
                              http://www.galapagosdesign.com/J62DQ7fO0b.exe, 00000000.00000003.646392618.0000000005EE5000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.sandoll.co.kro.kr-dJ62DQ7fO0b.exe, 00000000.00000003.641496129.0000000005EA6000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.carterandcone.comTCJ62DQ7fO0b.exe, 00000000.00000003.642529232.0000000005EA2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.carterandcone.comCQJ62DQ7fO0b.exe, 00000000.00000003.642529232.0000000005EA2000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.goodfont.co.kr_4FJ62DQ7fO0b.exe, 00000000.00000003.641496129.0000000005EA6000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		low
                              http://www.carterandcone.comheJ62DQ7fO0b.exe, 00000000.00000003.642529232.0000000005EA2000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.goodfont.co.krkrFJ62DQ7fO0b.exe, 00000000.00000003.641496129.0000000005EA6000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.carterandcone.comlJ62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cn/J62DQ7fO0b.exe, 00000000.00000003.641998608.0000000005EAC000.00000004.00000001.sdmp, J62DQ7fO0b.exe, 00000000.00000003.641490648.0000000005EDD000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/cabarga.htmlNJ62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmpfalse
                                		high
                                http://www.founder.com.cn/cnJ62DQ7fO0b.exe, 00000000.00000003.641650393.0000000005EA9000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/frere-user.htmlJ62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.monotype.J62DQ7fO0b.exe, 00000000.00000003.646317309.0000000005EE5000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.comtJ62DQ7fO0b.exe, 00000000.00000002.669671162.0000000001460000.00000004.00000040.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers8J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cnbliQJ62DQ7fO0b.exe, 00000000.00000003.641627718.0000000005EA6000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.monotype.BJ62DQ7fO0b.exe, 00000000.00000003.646942158.0000000005EE5000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.monotype.=J62DQ7fO0b.exe, 00000000.00000003.646271163.0000000005EE5000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		low
                                    http://www.carterandcone.comandJ62DQ7fO0b.exe, 00000000.00000003.642529232.0000000005EA2000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.carterandcone.comolJ62DQ7fO0b.exe, 00000000.00000003.642529232.0000000005EA2000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown

                                    Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public

                                    IPDomainCountryFlagASNASN NameMalicious
                                    79.134.225.30
                                    		unknownSwitzerland
                                    		6775FINK-TELECOM-SERVICESCHtrue

                                    General Information

                                    Joe Sandbox Version:31.0.0 Emerald
                                    Analysis ID:384486
                                    Start date:09.04.2021
                                    Start time:10:06:11
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 8m 36s
                                    Hypervisor based Inspection enabled:false
                                    Report type:light
                                    Sample file name:J62DQ7fO0b.exe
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                    Number of analysed new started processes analysed:20
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal100.troj.evad.winEXE@8/11@0/1
                                    EGA Information:Failed
                                    HDC Information:Failed
                                    HCA Information:
                                    • Successful, ratio: 89%
                                    • Number of executed functions: 0
                                    • Number of non-executed functions: 0
                                    Cookbook Comments:
                                    • Adjust boot time
                                    • Enable AMSI
                                    • Found application associated with file extension: .exe
                                    Warnings:
                                    Show All
                                    • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                    • TCP Packets have been reduced to 100
                                    • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe
                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • VT rate limit hit for: /opt/package/joesandbox/database/analysis/384486/sample/J62DQ7fO0b.exe

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    10:07:02API Interceptor1x Sleep call for process: J62DQ7fO0b.exe modified
                                    10:07:11API Interceptor947x Sleep call for process: RegSvcs.exe modified
                                    10:07:15AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    79.134.225.30oE6O5K1emC.exeGet hashmaliciousBrowse
                                      AIC7VMxudf.exeGet hashmaliciousBrowse
                                        Payment Confirmation.exeGet hashmaliciousBrowse
                                          JOIN.exeGet hashmaliciousBrowse
                                            Itinerary.pdf.exeGet hashmaliciousBrowse
                                              vVH0wIFYFd.exeGet hashmaliciousBrowse
                                                GWee9QSphp.exeGet hashmaliciousBrowse
                                                  s7pnYY2USl.jarGet hashmaliciousBrowse
                                                    s7pnYY2USl.jarGet hashmaliciousBrowse
                                                      SecuriteInfo.com.BehavesLike.Win32.Generic.dc.exeGet hashmaliciousBrowse
                                                        Import and Export Regulation.xlsxGet hashmaliciousBrowse
                                                          BBdzKOGQ36.exeGet hashmaliciousBrowse
                                                            BL.exeGet hashmaliciousBrowse
                                                              Payment Invoice.exeGet hashmaliciousBrowse
                                                                Payment Invoice.pdf.exeGet hashmaliciousBrowse
                                                                  Inquiries_scan_011023783591374376585.exeGet hashmaliciousBrowse

                                                                    Domains

                                                                    No context

                                                                    ASN

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                    FINK-TELECOM-SERVICESCHoE6O5K1emC.exeGet hashmaliciousBrowse
                                                                    • 79.134.225.30
                                                                    zunUbtZ2Y3.exeGet hashmaliciousBrowse
                                                                    • 79.134.225.40
                                                                    EASTERS.exeGet hashmaliciousBrowse
                                                                    • 79.134.225.118
                                                                    LIST OF POEA DELISTED AGENCIES.pdf.exeGet hashmaliciousBrowse
                                                                    • 79.134.225.9
                                                                    AWB.pdf.exeGet hashmaliciousBrowse
                                                                    • 79.134.225.102
                                                                    AIC7VMxudf.exeGet hashmaliciousBrowse
                                                                    • 79.134.225.30
                                                                    9mm case for ROYAL METAL INDUSTRIES 3milmonth Specification drawings.exeGet hashmaliciousBrowse
                                                                    • 79.134.225.21
                                                                    PO50164.exeGet hashmaliciousBrowse
                                                                    • 79.134.225.79
                                                                    Fast color scan to a PDFfile_1_20210331084231346.pdf.exeGet hashmaliciousBrowse
                                                                    • 79.134.225.102
                                                                    n7dIHuG3v6.exeGet hashmaliciousBrowse
                                                                    • 79.134.225.92
                                                                    F6JT4fXIAQ.exeGet hashmaliciousBrowse
                                                                    • 79.134.225.92
                                                                    order_inquiry2094.xls.exeGet hashmaliciousBrowse
                                                                    • 79.134.225.102
                                                                    5H957qLghX.exeGet hashmaliciousBrowse
                                                                    • 79.134.225.25
                                                                    yBio5dWAOl.exeGet hashmaliciousBrowse
                                                                    • 79.134.225.7
                                                                    wDIaJji4Vv.exeGet hashmaliciousBrowse
                                                                    • 79.134.225.7
                                                                    DkZY1k3y9F.exeGet hashmaliciousBrowse
                                                                    • 79.134.225.23
                                                                    hbvo9thTAX.exeGet hashmaliciousBrowse
                                                                    • 79.134.225.7
                                                                    SCAN ORDER DOC 040202021.exeGet hashmaliciousBrowse
                                                                    • 79.134.225.71
                                                                    Waybill Doc_pdf.exeGet hashmaliciousBrowse
                                                                    • 79.134.225.92
                                                                    gfcYixSdyD.exeGet hashmaliciousBrowse
                                                                    • 79.134.225.71

                                                                    JA3 Fingerprints

                                                                    No context

                                                                    Dropped Files

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeHSBc20210216B1.exeGet hashmaliciousBrowse
                                                                      zunUbtZ2Y3.exeGet hashmaliciousBrowse
                                                                        bank transfer.exeGet hashmaliciousBrowse
                                                                          nunu.exeGet hashmaliciousBrowse
                                                                            quotation.exeGet hashmaliciousBrowse
                                                                              GS_ PO NO.1862021.exeGet hashmaliciousBrowse
                                                                                UPDATED SOA.exeGet hashmaliciousBrowse
                                                                                  comprobante de pago bancario.exeGet hashmaliciousBrowse
                                                                                    ANS_309487487_#049844874.exeGet hashmaliciousBrowse
                                                                                      Dekont_12VK2102526 VAKIF KATILIM.exeGet hashmaliciousBrowse
                                                                                        taiwan.exeGet hashmaliciousBrowse
                                                                                          SWIFT COPY.exeGet hashmaliciousBrowse
                                                                                            GS_ PO NO.1862021.exeGet hashmaliciousBrowse
                                                                                              purchase order.exeGet hashmaliciousBrowse
                                                                                                Payment Advice.exeGet hashmaliciousBrowse
                                                                                                  Quotation.pdf...exeGet hashmaliciousBrowse
                                                                                                    PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                                                                      money.exeGet hashmaliciousBrowse
                                                                                                        TT COPY.exeGet hashmaliciousBrowse
                                                                                                          $$$.exeGet hashmaliciousBrowse

                                                                                                            Created / dropped Files

                                                                                                            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                            File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):45152
                                                                                                            Entropy (8bit):6.149629800481177
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
                                                                                                            MD5:2867A3817C9245F7CF518524DFD18F28
                                                                                                            SHA1:D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
                                                                                                            SHA-256:43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                                                                                                            SHA-512:7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Joe Sandbox View:
                                                                                                            • Filename: HSBc20210216B1.exe, Detection: malicious, Browse
                                                                                                            • Filename: zunUbtZ2Y3.exe, Detection: malicious, Browse
                                                                                                            • Filename: bank transfer.exe, Detection: malicious, Browse
                                                                                                            • Filename: nunu.exe, Detection: malicious, Browse
                                                                                                            • Filename: quotation.exe, Detection: malicious, Browse
                                                                                                            • Filename: GS_ PO NO.1862021.exe, Detection: malicious, Browse
                                                                                                            • Filename: UPDATED SOA.exe, Detection: malicious, Browse
                                                                                                            • Filename: comprobante de pago bancario.exe, Detection: malicious, Browse
                                                                                                            • Filename: ANS_309487487_#049844874.exe, Detection: malicious, Browse
                                                                                                            • Filename: Dekont_12VK2102526 VAKIF KATILIM.exe, Detection: malicious, Browse
                                                                                                            • Filename: taiwan.exe, Detection: malicious, Browse
                                                                                                            • Filename: SWIFT COPY.exe, Detection: malicious, Browse
                                                                                                            • Filename: GS_ PO NO.1862021.exe, Detection: malicious, Browse
                                                                                                            • Filename: purchase order.exe, Detection: malicious, Browse
                                                                                                            • Filename: Payment Advice.exe, Detection: malicious, Browse
                                                                                                            • Filename: Quotation.pdf...exe, Detection: malicious, Browse
                                                                                                            • Filename: PURCHASE ORDER.exe, Detection: malicious, Browse
                                                                                                            • Filename: money.exe, Detection: malicious, Browse
                                                                                                            • Filename: TT COPY.exe, Detection: malicious, Browse
                                                                                                            • Filename: $$$.exe, Detection: malicious, Browse
                                                                                                            Reputation:moderate, very likely benign file
                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...
                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\J62DQ7fO0b.exe.log
                                                                                                            Process:C:\Users\user\Desktop\J62DQ7fO0b.exe
                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                            Category:modified
                                                                                                            Size (bytes):1314
                                                                                                            Entropy (8bit):5.350128552078965
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                                                                            MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                                                                            SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                                                                            SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                                                                            SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                                                                            Malicious:true
                                                                                                            Reputation:high, very likely benign file
                                                                                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                                                                                                            Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                            Category:modified
                                                                                                            Size (bytes):142
                                                                                                            Entropy (8bit):5.090621108356562
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
                                                                                                            MD5:8C0458BB9EA02D50565175E38D577E35
                                                                                                            SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
                                                                                                            SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
                                                                                                            SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
                                                                                                            Malicious:false
                                                                                                            Reputation:moderate, very likely benign file
                                                                                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                                                                                            C:\Users\user\AppData\Local\Temp\tmpC6A9.tmp
                                                                                                            Process:C:\Users\user\Desktop\J62DQ7fO0b.exe
                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1645
                                                                                                            Entropy (8bit):5.18058135981098
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGRKatn:cbhK79lNQR/rydbz9I3YODOLNdq3EV
                                                                                                            MD5:F97E80A87AE958D4BC07AD23DE478B2A
                                                                                                            SHA1:47F349B089D0861714DF39749A40E92DAE653DA9
                                                                                                            SHA-256:3A01767F80C0386EBB0F5918844F2D1C781C02E3CED00A1B089CF443349AAE72
                                                                                                            SHA-512:A3096C0D7947F1313139EEE2F5CFE82383A6F9C695B90BD2573C84D568FCA2C9D3DBFA032C2CE3FE0995A0AB7B42F3775299846AA97D2809EA390C003FD48913
                                                                                                            Malicious:true
                                                                                                            Reputation:low
                                                                                                            Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                                                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1512
                                                                                                            Entropy (8bit):7.012278113302776
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:IQnybgCyHJ5lQnybgCyHJ5lQnybgCyHJ5lQnybgCyHJ5lQnybgCyHJ5lQnybgCyz:IkR5lkR5lkR5lkR5lkR5lkR5lkR5i
                                                                                                            MD5:99595ABE9D87E2528BEEAAB442B21B36
                                                                                                            SHA1:340D15872EEA4FB38B0BE5EC0BFF3F251A2BA69E
                                                                                                            SHA-256:4EC04D88C855C45BED9EDF5CF9684B402ACAE3DFB1A0161D9D6371E966B9EE6D
                                                                                                            SHA-512:E58CD537D72C7E00376D7595BA8F91A15452E1D3A08E97C74F99D0E5A8201C7039E8C3BDC8ADE74FD9DB7B55C129327C3A160576AA0D2012FCDFF7C938D8CA55
                                                                                                            Malicious:false
                                                                                                            Reputation:low
                                                                                                            Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h.P.vY.........S.5.6.C4..E.Y.|........).zs...w.gl..\.G..J.M.vES.0....P.:..6...T....+5.1............r.P.V..+..(.*2d.f... ..q.. 7iO.+..c.....!.'.*..mL|XGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h.P.vY.........S.5.6.C4..E.Y.|........).zs...w.gl..\.G..J.M.vES.0....P.:..6...T....+5.1............r.P.V..+..(.*2d.f... ..q.. 7iO.+..c.....!.'.*..mL|XGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h.P.vY.........S.5.6.C4..E.Y.|........).zs...w.gl..\.G..J.M.vES.0....P.:..6...T....+5.1............r.P.V..+..(.*2d.f... ..q.. 7iO.+..c.....!.'.*..mL|XGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h.P.vY.........S.5.6.C4..E.Y.|........).zs...w.gl..\.G..J.M.vES.0....P.:..6...T....+5.1............r.P.V..+..(.*2d.f... ..q.. 7iO.+..c.....!.'.*..mL|XGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h.P.vY.........S.5.6.C4..E.Y.|........).zs...w.gl..\.G..J.M.vES.0....P.:..6..
                                                                                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                            File Type:Dyalog APL external variable shared version 6.122
                                                                                                            Category:dropped
                                                                                                            Size (bytes):8
                                                                                                            Entropy (8bit):2.75
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Hy:S
                                                                                                            MD5:E301BD4595E07EF6742AD3F194ACB0DB
                                                                                                            SHA1:C92A55F687D43CD1BDD5A632F037D1A58D00223B
                                                                                                            SHA-256:2AC8CF690E88B0C0A42129AB9925DBFFA3ABF501A119FE80A6CCFAFEEFED4410
                                                                                                            SHA-512:27DB5F621B7783CA0A043796A03ED91B0AD902EE013BFC5E7C744CFE34D5AD816720376CC87BE10AA70515C6087FEDEF561C7C5770516EEC8817B7DCB37A15FB
                                                                                                            Malicious:true
                                                                                                            Reputation:low
                                                                                                            Preview: ...z...H
                                                                                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):40
                                                                                                            Entropy (8bit):5.153055907333276
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                                                                                                            MD5:4E5E92E2369688041CC82EF9650EDED2
                                                                                                            SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                                                                                                            SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                                                                                                            SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                                                                                                            Malicious:false
                                                                                                            Reputation:moderate, very likely benign file
                                                                                                            Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
                                                                                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):327432
                                                                                                            Entropy (8bit):7.99938831605763
                                                                                                            Encrypted:true
                                                                                                            SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                                                                                                            MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                                                                                                            SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                                                                                                            SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                                                                                                            SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                                                                                                            Malicious:false
                                                                                                            Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                                                                                                            C:\Users\user\AppData\Roaming\tHyARuOEdFlN.exe
                                                                                                            Process:C:\Users\user\Desktop\J62DQ7fO0b.exe
                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1865728
                                                                                                            Entropy (8bit):7.042310357804828
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:49152:9Ni8vaKvPuXtaD5LNaw/RRMbBRtlxaJvxdrLBF+F36q:Bzv4w/RRMbBRZaJvz3XO35
                                                                                                            MD5:A74ECE32BC1B6DB38A2D379C7FC78D2C
                                                                                                            SHA1:25EA63E67B842641E57BC5B405EA51EC9C6BEB5B
                                                                                                            SHA-256:20E490AFBA639EA251A2F095A8B9B85E1B9922FF6D8B6F47CEB567BA62521A28
                                                                                                            SHA-512:63A026DEDC6B2478A0CA7625534045E98334185BFEA76B7DAA74C1FE8CB32757AB26F97ACE14B8400EA70DF8FDDD0F10DBA51041F2444534A11BF49F41746672
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....o`................................. ........@.. ....................................@.....................................W.... ..t............................................................................ ............... ..H............text........ ...................... ..`.reloc..............................@..B.rsrc...t.... ......................@..@........................H............p..........D...............................................z.(......}.....( ...o!...}....*..*...0...........{......E............8...Z...u................*..}..... ].4S}......}.....*..}..... ..Q.}......}.....*..}......{.... Km.a}......}.....*..}..... ,...}......}.....*..}......{.... ..=.a}......}.....*..}..... ....}......}.....*..}..... "G.R}......}.....*..}.....*...{....*.s"...z.2.{.....f...*....0..<........{......3..{....( ...o!...3...}......+..s.......{....}..
                                                                                                            C:\Users\user\AppData\Roaming\tHyARuOEdFlN.exe:Zone.Identifier
                                                                                                            Process:C:\Users\user\Desktop\J62DQ7fO0b.exe
                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):26
                                                                                                            Entropy (8bit):3.95006375643621
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:ggPYV:rPYV
                                                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                            Malicious:true
                                                                                                            Preview: [ZoneTransfer]....ZoneId=0
                                                                                                            \Device\ConDrv
                                                                                                            Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1141
                                                                                                            Entropy (8bit):4.44831826838854
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:zKLXkb4DObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0b4DQntKKH1MqJC
                                                                                                            MD5:1AEB3A784552CFD2AEDEDC1D43A97A4F
                                                                                                            SHA1:804286AB9F8B3DE053222826A69A7CDA3492411A
                                                                                                            SHA-256:0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293
                                                                                                            SHA-512:5305059BA86D5C2185E590EC036044B2A17ED9FD9863C2E3C7E7D8035EF0C79E53357AF5AE735F7D432BC70156D4BD3ACB42D100CFB05C2FB669EA22368F1415
                                                                                                            Malicious:false
                                                                                                            Preview: Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

                                                                                                            Static File Info

                                                                                                            General

                                                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Entropy (8bit):7.042310357804828
                                                                                                            TrID:
                                                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                            • Windows Screen Saver (13104/52) 0.07%
                                                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                            File name:J62DQ7fO0b.exe
                                                                                                            File size:1865728
                                                                                                            MD5:a74ece32bc1b6db38a2d379c7fc78d2c
                                                                                                            SHA1:25ea63e67b842641e57bc5b405ea51ec9c6beb5b
                                                                                                            SHA256:20e490afba639ea251a2f095a8b9b85e1b9922ff6d8b6f47ceb567ba62521a28
                                                                                                            SHA512:63a026dedc6b2478a0ca7625534045e98334185bfea76b7daa74c1fe8cb32757ab26f97ace14b8400ea70df8fddd0f10dba51041f2444534a11bf49f41746672
                                                                                                            SSDEEP:49152:9Ni8vaKvPuXtaD5LNaw/RRMbBRtlxaJvxdrLBF+F36q:Bzv4w/RRMbBRZaJvz3XO35
                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....o`................................. ........@.. ....................................@................................

                                                                                                            File Icon

                                                                                                            Icon Hash:71f0d4d4ccccf070

                                                                                                            Static PE Info

                                                                                                            General

                                                                                                            Entrypoint:0x55f0de
                                                                                                            Entrypoint Section:.text
                                                                                                            Digitally signed:false
                                                                                                            Imagebase:0x400000
                                                                                                            Subsystem:windows gui
                                                                                                            Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                                                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                            Time Stamp:0x606FFEAC [Fri Apr 9 07:13:48 2021 UTC]
                                                                                                            TLS Callbacks:
                                                                                                            CLR (.Net) Version:v4.0.30319
                                                                                                            OS Version Major:4
                                                                                                            OS Version Minor:0
                                                                                                            File Version Major:4
                                                                                                            File Version Minor:0
                                                                                                            Subsystem Version Major:4
                                                                                                            Subsystem Version Minor:0
                                                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                            Entrypoint Preview

                                                                                                            Instruction
                                                                                                            jmp dword ptr [00402000h]
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al

                                                                                                            Data Directories

                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x15f0840x57.text
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x1620000x6a074.rsrc
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1600000xc.reloc
                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                            Sections

                                                                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                            .text0x20000x15d0e40x15d200False0.644486495256data7.5077416615IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                            .reloc0x1600000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                            .rsrc0x1620000x6a0740x6a200False0.217089038575data4.26679146424IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                            Resources

                                                                                                            NameRVASizeTypeLanguageCountry
                                                                                                            RT_ICON0x1622200x10828dBase III DBT, version number 0, next free block index 40
                                                                                                            RT_ICON0x172a480x42028data
                                                                                                            RT_ICON0x1b4a700x25a8data
                                                                                                            RT_ICON0x1b70180x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 0, next used block 0
                                                                                                            RT_ICON0x1bb2400x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 16777216, next used block 16777216
                                                                                                            RT_GROUP_ICON0x1cba680x22data
                                                                                                            RT_GROUP_ICON0x1cba8c0x4cdata
                                                                                                            RT_VERSION0x1cbad80x350data
                                                                                                            RT_MANIFEST0x1cbe280x249XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

                                                                                                            Imports

                                                                                                            DLLImport
                                                                                                            mscoree.dll_CorExeMain

                                                                                                            Version Infos

                                                                                                            DescriptionData
                                                                                                            Translation0x0000 0x04b0
                                                                                                            LegalCopyrightCopyright Northern Star
                                                                                                            Assembly Version2.1.0.8
                                                                                                            InternalNameIBindableIterable.exe
                                                                                                            FileVersion2.1.0.8
                                                                                                            CompanyNameNorthern Star
                                                                                                            LegalTrademarks
                                                                                                            Comments
                                                                                                            ProductNameMDM
                                                                                                            ProductVersion2.1.0.8
                                                                                                            FileDescriptionMDM
                                                                                                            OriginalFilenameIBindableIterable.exe

                                                                                                            Network Behavior

                                                                                                            Snort IDS Alerts

                                                                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                            04/09/21-10:07:12.671031TCP2025019ET TROJAN Possible NanoCore C2 60B497251144192.168.2.479.134.225.30
                                                                                                            04/09/21-10:07:19.452199TCP2025019ET TROJAN Possible NanoCore C2 60B497341144192.168.2.479.134.225.30
                                                                                                            04/09/21-10:07:26.421327TCP2025019ET TROJAN Possible NanoCore C2 60B497361144192.168.2.479.134.225.30
                                                                                                            04/09/21-10:07:33.554381TCP2025019ET TROJAN Possible NanoCore C2 60B497391144192.168.2.479.134.225.30
                                                                                                            04/09/21-10:07:39.696069TCP2025019ET TROJAN Possible NanoCore C2 60B497401144192.168.2.479.134.225.30
                                                                                                            04/09/21-10:07:46.643686TCP2025019ET TROJAN Possible NanoCore C2 60B497421144192.168.2.479.134.225.30
                                                                                                            04/09/21-10:07:52.853588TCP2025019ET TROJAN Possible NanoCore C2 60B497451144192.168.2.479.134.225.30
                                                                                                            04/09/21-10:07:59.880822TCP2025019ET TROJAN Possible NanoCore C2 60B497521144192.168.2.479.134.225.30
                                                                                                            04/09/21-10:08:06.886756TCP2025019ET TROJAN Possible NanoCore C2 60B497561144192.168.2.479.134.225.30
                                                                                                            04/09/21-10:08:13.696819TCP2025019ET TROJAN Possible NanoCore C2 60B497571144192.168.2.479.134.225.30
                                                                                                            04/09/21-10:08:19.884335TCP2025019ET TROJAN Possible NanoCore C2 60B497581144192.168.2.479.134.225.30
                                                                                                            04/09/21-10:08:26.972195TCP2025019ET TROJAN Possible NanoCore C2 60B497611144192.168.2.479.134.225.30
                                                                                                            04/09/21-10:08:33.851582TCP2025019ET TROJAN Possible NanoCore C2 60B497631144192.168.2.479.134.225.30
                                                                                                            04/09/21-10:08:39.897169TCP2025019ET TROJAN Possible NanoCore C2 60B497691144192.168.2.479.134.225.30
                                                                                                            04/09/21-10:08:46.177906TCP2025019ET TROJAN Possible NanoCore C2 60B497701144192.168.2.479.134.225.30
                                                                                                            04/09/21-10:08:52.997147TCP2025019ET TROJAN Possible NanoCore C2 60B497711144192.168.2.479.134.225.30
                                                                                                            04/09/21-10:08:59.086454TCP2025019ET TROJAN Possible NanoCore C2 60B497721144192.168.2.479.134.225.30

                                                                                                            Network Port Distribution

                                                                                                            TCP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Apr 9, 2021 10:07:12.412424088 CEST497251144192.168.2.479.134.225.30
                                                                                                            Apr 9, 2021 10:07:12.633583069 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:12.633719921 CEST497251144192.168.2.479.134.225.30
                                                                                                            Apr 9, 2021 10:07:12.671030998 CEST497251144192.168.2.479.134.225.30
                                                                                                            Apr 9, 2021 10:07:12.927891970 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:12.996145010 CEST497251144192.168.2.479.134.225.30
                                                                                                            Apr 9, 2021 10:07:13.081242085 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:13.134944916 CEST497251144192.168.2.479.134.225.30
                                                                                                            Apr 9, 2021 10:07:13.212373018 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:13.212693930 CEST497251144192.168.2.479.134.225.30
                                                                                                            Apr 9, 2021 10:07:13.393297911 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:13.447668076 CEST497251144192.168.2.479.134.225.30
                                                                                                            Apr 9, 2021 10:07:13.453150034 CEST497251144192.168.2.479.134.225.30
                                                                                                            Apr 9, 2021 10:07:13.692616940 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:13.725742102 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:13.726242065 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:13.726407051 CEST497251144192.168.2.479.134.225.30
                                                                                                            Apr 9, 2021 10:07:13.727564096 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:13.728598118 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:13.728713036 CEST497251144192.168.2.479.134.225.30
                                                                                                            Apr 9, 2021 10:07:13.729443073 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:13.736000061 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:13.736355066 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:13.736476898 CEST497251144192.168.2.479.134.225.30
                                                                                                            Apr 9, 2021 10:07:13.737448931 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:13.737550020 CEST497251144192.168.2.479.134.225.30
                                                                                                            Apr 9, 2021 10:07:13.737701893 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:13.738715887 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:13.740179062 CEST497251144192.168.2.479.134.225.30
                                                                                                            Apr 9, 2021 10:07:13.929099083 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:13.929168940 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:13.929254055 CEST497251144192.168.2.479.134.225.30
                                                                                                            Apr 9, 2021 10:07:13.929281950 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:13.930774927 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:13.930814981 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:13.930840015 CEST497251144192.168.2.479.134.225.30
                                                                                                            Apr 9, 2021 10:07:13.939450026 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:13.939610004 CEST497251144192.168.2.479.134.225.30
                                                                                                            Apr 9, 2021 10:07:13.940675020 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:13.941261053 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:13.941380024 CEST497251144192.168.2.479.134.225.30
                                                                                                            Apr 9, 2021 10:07:13.946429014 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:13.949985027 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:13.950076103 CEST497251144192.168.2.479.134.225.30
                                                                                                            Apr 9, 2021 10:07:13.971633911 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:13.971663952 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:13.971793890 CEST497251144192.168.2.479.134.225.30
                                                                                                            Apr 9, 2021 10:07:13.972151995 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:13.972893953 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:13.972995043 CEST497251144192.168.2.479.134.225.30
                                                                                                            Apr 9, 2021 10:07:13.980684996 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:13.981470108 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:13.981534958 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:13.981574059 CEST497251144192.168.2.479.134.225.30
                                                                                                            Apr 9, 2021 10:07:13.981698036 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:13.981760979 CEST497251144192.168.2.479.134.225.30
                                                                                                            Apr 9, 2021 10:07:13.981897116 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:13.990417004 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:13.990533113 CEST497251144192.168.2.479.134.225.30
                                                                                                            Apr 9, 2021 10:07:13.995167971 CEST497251144192.168.2.479.134.225.30
                                                                                                            Apr 9, 2021 10:07:14.123945951 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:14.124001026 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:14.124145031 CEST497251144192.168.2.479.134.225.30
                                                                                                            Apr 9, 2021 10:07:14.124556065 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:14.125138998 CEST497251144192.168.2.479.134.225.30
                                                                                                            Apr 9, 2021 10:07:14.134424925 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:14.134581089 CEST497251144192.168.2.479.134.225.30
                                                                                                            Apr 9, 2021 10:07:14.142329931 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:14.142369986 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:14.142514944 CEST497251144192.168.2.479.134.225.30
                                                                                                            Apr 9, 2021 10:07:14.142600060 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:14.142676115 CEST497251144192.168.2.479.134.225.30
                                                                                                            Apr 9, 2021 10:07:14.143532038 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:14.143637896 CEST497251144192.168.2.479.134.225.30
                                                                                                            Apr 9, 2021 10:07:14.143879890 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:14.143968105 CEST497251144192.168.2.479.134.225.30
                                                                                                            Apr 9, 2021 10:07:14.144741058 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:14.144814968 CEST497251144192.168.2.479.134.225.30
                                                                                                            Apr 9, 2021 10:07:14.145612955 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:14.145750999 CEST497251144192.168.2.479.134.225.30
                                                                                                            Apr 9, 2021 10:07:14.145838976 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:14.146193981 CEST497251144192.168.2.479.134.225.30
                                                                                                            Apr 9, 2021 10:07:14.146723986 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:14.146874905 CEST497251144192.168.2.479.134.225.30
                                                                                                            Apr 9, 2021 10:07:14.147619009 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:14.147720098 CEST497251144192.168.2.479.134.225.30
                                                                                                            Apr 9, 2021 10:07:14.148710012 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:14.148770094 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:14.148778915 CEST497251144192.168.2.479.134.225.30
                                                                                                            Apr 9, 2021 10:07:14.148844957 CEST497251144192.168.2.479.134.225.30
                                                                                                            Apr 9, 2021 10:07:14.157772064 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:14.157849073 CEST497251144192.168.2.479.134.225.30
                                                                                                            Apr 9, 2021 10:07:14.158587933 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:14.158675909 CEST497251144192.168.2.479.134.225.30
                                                                                                            Apr 9, 2021 10:07:14.158726931 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:14.158791065 CEST497251144192.168.2.479.134.225.30
                                                                                                            Apr 9, 2021 10:07:14.158813000 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:14.158845901 CEST11444972579.134.225.30192.168.2.4
                                                                                                            Apr 9, 2021 10:07:14.158888102 CEST497251144192.168.2.479.134.225.30
                                                                                                            Apr 9, 2021 10:07:14.180831909 CEST11444972579.134.225.30192.168.2.4

                                                                                                            Code Manipulations

                                                                                                            Statistics

                                                                                                            Behavior

                                                                                                            Click to jump to process

                                                                                                            System Behavior

                                                                                                            Analysis Process: J62DQ7fO0b.exe PID: 6516 Parent PID: 6084

                                                                                                            General

                                                                                                            Start time:10:06:54
                                                                                                            Start date:09/04/2021
                                                                                                            Path:C:\Users\user\Desktop\J62DQ7fO0b.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:'C:\Users\user\Desktop\J62DQ7fO0b.exe'
                                                                                                            Imagebase:0x990000
                                                                                                            File size:1865728 bytes
                                                                                                            MD5 hash:A74ECE32BC1B6DB38A2D379C7FC78D2C
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.671018247.0000000002ECB000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.674143460.0000000003E7C000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.674143460.0000000003E7C000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                            • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.674143460.0000000003E7C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                            Reputation:low

                                                                                                            Analysis Process: schtasks.exe PID: 6628 Parent PID: 6516

                                                                                                            General

                                                                                                            Start time:10:07:07
                                                                                                            Start date:09/04/2021
                                                                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tHyARuOEdFlN' /XML 'C:\Users\user\AppData\Local\Temp\tmpC6A9.tmp'
                                                                                                            Imagebase:0x8d0000
                                                                                                            File size:185856 bytes
                                                                                                            MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high

                                                                                                            Analysis Process: conhost.exe PID: 6636 Parent PID: 6628

                                                                                                            General

                                                                                                            Start time:10:07:07
                                                                                                            Start date:09/04/2021
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff724c50000
                                                                                                            File size:625664 bytes
                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high

                                                                                                            Analysis Process: RegSvcs.exe PID: 6672 Parent PID: 6516

                                                                                                            General

                                                                                                            Start time:10:07:08
                                                                                                            Start date:09/04/2021
                                                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                            Imagebase:0xa50000
                                                                                                            File size:45152 bytes
                                                                                                            MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                            Reputation:high

                                                                                                            Analysis Process: dhcpmon.exe PID: 7068 Parent PID: 3424

                                                                                                            General

                                                                                                            Start time:10:07:23
                                                                                                            Start date:09/04/2021
                                                                                                            Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                                                                                            Imagebase:0x8c0000
                                                                                                            File size:45152 bytes
                                                                                                            MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                            Antivirus matches:
                                                                                                            • Detection: 0%, Metadefender, Browse
                                                                                                            • Detection: 0%, ReversingLabs
                                                                                                            Reputation:high

                                                                                                            Analysis Process: conhost.exe PID: 7092 Parent PID: 7068

                                                                                                            General

                                                                                                            Start time:10:07:24
                                                                                                            Start date:09/04/2021
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff724c50000
                                                                                                            File size:625664 bytes
                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high

                                                                                                            Disassembly

                                                                                                            Code Analysis

                                                                                                            Reset < >