Loading ...

Play interactive tourEdit tour

Windows Analysis Report IDeVaZ8ESy.exe

Overview

General Information

Sample Name:IDeVaZ8ESy.exe
Analysis ID:452411
MD5:b0876b8da9dcb8a3b22d2cbf2b6a4711
SHA1:80e619da78e64bf6845f284c50bfacf17c55a274
SHA256:d6215a4b16d74db6dafc28a78f15885de77570347acfbac416f18b223ba08e26
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • IDeVaZ8ESy.exe (PID: 5976 cmdline: 'C:\Users\user\Desktop\IDeVaZ8ESy.exe' MD5: B0876B8DA9DCB8A3B22D2CBF2B6A4711)
    • IDeVaZ8ESy.exe (PID: 1384 cmdline: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe MD5: B0876B8DA9DCB8A3B22D2CBF2B6A4711)
    • IDeVaZ8ESy.exe (PID: 5056 cmdline: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe MD5: B0876B8DA9DCB8A3B22D2CBF2B6A4711)
      • schtasks.exe (PID: 6064 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpBB0F.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 2476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • IDeVaZ8ESy.exe (PID: 5972 cmdline: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe 0 MD5: B0876B8DA9DCB8A3B22D2CBF2B6A4711)
    • IDeVaZ8ESy.exe (PID: 1276 cmdline: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe MD5: B0876B8DA9DCB8A3B22D2CBF2B6A4711)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "0bb207a5-6f92-4ff1-abb5-35e0dc25", "Group": "AUGUST", "Domain1": "asweee.jumpingcrab.com", "Domain2": "tryweaswweee.ydns.eu", "Port": 8234, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "asweee.jumpingcrab.com", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.298170775.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000002.298170775.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000C.00000002.298170775.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    0000000A.00000002.282656161.00000000026F2000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x57b01:$x1: NanoCore.ClientPluginHost
    • 0x57b3e:$x2: IClientNetworkHost
    • 0x5b671:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    0000000A.00000002.282656161.00000000026F2000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x57869:$a: NanoCore
    • 0x57879:$a: NanoCore
    • 0x57aad:$a: NanoCore
    • 0x57ac1:$a: NanoCore
    • 0x57b01:$a: NanoCore
    • 0x578c8:$b: ClientPlugin
    • 0x57aca:$b: ClientPlugin
    • 0x57b0a:$b: ClientPlugin
    • 0x579ef:$c: ProjectData
    • 0x583f6:$d: DESCrypto
    • 0x59fab:$i: get_Connected
    • 0x5872c:$j: #=q
    • 0x5875c:$j: #=q
    • 0x58778:$j: #=q
    • 0x587a8:$j: #=q
    • 0x587c4:$j: #=q
    • 0x587e0:$j: #=q
    • 0x58810:$j: #=q
    • 0x5882c:$j: #=q
    • 0x58870:$j: #=q
    • 0x5888c:$j: #=q
    Click to see the 22 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    12.2.IDeVaZ8ESy.exe.3df0614.5.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xd9ad:$x1: NanoCore.ClientPluginHost
    • 0xd9da:$x2: IClientNetworkHost
    12.2.IDeVaZ8ESy.exe.3df0614.5.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xd9ad:$x2: NanoCore.ClientPluginHost
    • 0xea88:$s4: PipeCreated
    • 0xd9c7:$s5: IClientLoggingHost
    12.2.IDeVaZ8ESy.exe.3df0614.5.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      12.2.IDeVaZ8ESy.exe.3df0614.5.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xf7ad:$x1: NanoCore.ClientPluginHost
      • 0x287b9:$x1: NanoCore.ClientPluginHost
      • 0xf7da:$x2: IClientNetworkHost
      • 0x287e6:$x2: IClientNetworkHost
      12.2.IDeVaZ8ESy.exe.3df0614.5.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xf7ad:$x2: NanoCore.ClientPluginHost
      • 0x287b9:$x2: NanoCore.ClientPluginHost
      • 0x10888:$s4: PipeCreated
      • 0x29894:$s4: PipeCreated
      • 0xf7c7:$s5: IClientLoggingHost
      • 0x287d3:$s5: IClientLoggingHost
      Click to see the 28 entries

      Sigma Overview

      AV Detection:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe, ProcessId: 5056, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      E-Banking Fraud:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe, ProcessId: 5056, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Stealing of Sensitive Information:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe, ProcessId: 5056, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Remote Access Functionality:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe, ProcessId: 5056, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 0000000C.00000002.301106793.0000000003DA9000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "0bb207a5-6f92-4ff1-abb5-35e0dc25", "Group": "AUGUST", "Domain1": "asweee.jumpingcrab.com", "Domain2": "tryweaswweee.ydns.eu", "Port": 8234, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "asweee.jumpingcrab.com", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeVirustotal: Detection: 23%Perma Link
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeMetadefender: Detection: 20%Perma Link
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeReversingLabs: Detection: 32%
      Multi AV Scanner detection for submitted fileShow sources
      Source: IDeVaZ8ESy.exeVirustotal: Detection: 23%Perma Link
      Source: IDeVaZ8ESy.exeMetadefender: Detection: 20%Perma Link
      Source: IDeVaZ8ESy.exeReversingLabs: Detection: 32%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.3df0614.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.3df0614.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.3df4c3d.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.3deb7de.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000C.00000002.298170775.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.253550747.00000000043C7000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.253253129.0000000004327000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.301106793.0000000003DA9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.284916631.0000000003A3A000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.286367927.0000000003AD9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.300993191.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: IDeVaZ8ESy.exe PID: 5972, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: IDeVaZ8ESy.exe PID: 5976, type: MEMORY
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: IDeVaZ8ESy.exeJoe Sandbox ML: detected
      Source: 12.2.IDeVaZ8ESy.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: IDeVaZ8ESy.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
      Source: IDeVaZ8ESy.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49709 -> 37.0.8.214:8234
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49722 -> 37.0.8.214:8234
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49723 -> 37.0.8.214:8234
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49727 -> 37.0.8.214:8234
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49730 -> 37.0.8.214:8234
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49731 -> 37.0.8.214:8234
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49733 -> 37.0.8.214:8234
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49736 -> 37.0.8.214:8234
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49737 -> 37.0.8.214:8234
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49738 -> 37.0.8.214:8234
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49739 -> 37.0.8.214:8234
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49741 -> 37.0.8.214:8234
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49743 -> 37.0.8.214:8234
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49744 -> 37.0.8.214:8234
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49745 -> 37.0.8.214:8234
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49746 -> 37.0.8.214:8234
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: tryweaswweee.ydns.eu
      Source: Malware configuration extractorURLs: asweee.jumpingcrab.com
      Source: global trafficTCP traffic: 192.168.2.3:49709 -> 37.0.8.214:8234
      Source: unknownDNS traffic detected: queries for: asweee.jumpingcrab.com
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: IDeVaZ8ESy.exe, 0000000C.00000002.301106793.0000000003DA9000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.3df0614.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.3df0614.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.3df4c3d.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.3deb7de.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000C.00000002.298170775.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.253550747.00000000043C7000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.253253129.0000000004327000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.301106793.0000000003DA9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.284916631.0000000003A3A000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.286367927.0000000003AD9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.300993191.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: IDeVaZ8ESy.exe PID: 5972, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: IDeVaZ8ESy.exe PID: 5976, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 12.2.IDeVaZ8ESy.exe.3df0614.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.IDeVaZ8ESy.exe.3df0614.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.IDeVaZ8ESy.exe.2739974.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.IDeVaZ8ESy.exe.2739974.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.IDeVaZ8ESy.exe.2739974.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.IDeVaZ8ESy.exe.2739974.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.IDeVaZ8ESy.exe.3df4c3d.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.IDeVaZ8ESy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.IDeVaZ8ESy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.IDeVaZ8ESy.exe.3deb7de.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.IDeVaZ8ESy.exe.3deb7de.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.IDeVaZ8ESy.exe.2e09668.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.298170775.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.298170775.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000002.282656161.00000000026F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.282656161.00000000026F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.253550747.00000000043C7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.253550747.00000000043C7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.253253129.0000000004327000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.253253129.0000000004327000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000002.301106793.0000000003DA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000002.284916631.0000000003A3A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.284916631.0000000003A3A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000002.286367927.0000000003AD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.286367927.0000000003AD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000002.300993191.0000000002DA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: IDeVaZ8ESy.exe PID: 5972, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: IDeVaZ8ESy.exe PID: 5972, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: IDeVaZ8ESy.exe PID: 5976, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: IDeVaZ8ESy.exe PID: 5976, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeCode function: 1_2_018CC224
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeCode function: 1_2_018CE5E1
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeCode function: 1_2_018CE5F0
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeCode function: 10_2_0091C224
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeCode function: 10_2_0091E5F0
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeCode function: 10_2_0091E5E2
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeCode function: 10_2_06551600
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeCode function: 10_2_06556FA8
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeCode function: 10_2_0655410F
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeCode function: 10_2_065515F0
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeCode function: 10_2_07037FA0
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeCode function: 12_2_0137E471
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeCode function: 12_2_0137E480
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeCode function: 12_2_0137BBD4
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeCode function: 12_2_01379EA8
      Source: IDeVaZ8ESy.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: IDeVaZ8ESy.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: IDeVaZ8ESy.exe, 00000001.00000003.241816461.0000000007F51000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenputty.exe0 vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 00000001.00000002.259661598.0000000007A90000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNlljmbtp.dll" vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 00000001.00000003.238305194.000000000429A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCdmugmphdzemkomhbdp.dllH vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 00000001.00000002.259352009.00000000078F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 00000001.00000002.252510635.0000000003271000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 00000001.00000002.259331908.00000000078E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 00000005.00000002.247120178.000000000032A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamenputty.exe0 vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 00000006.00000000.249621020.000000000092A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamenputty.exe0 vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 00000006.00000003.262207809.00000000010D7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 0000000A.00000002.301424388.0000000006A10000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 0000000A.00000003.272026021.0000000003B2D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNlljmbtp.dll" vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 0000000A.00000000.259450434.000000000017A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamenputty.exe0 vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 0000000A.00000002.279145617.000000000093A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 0000000A.00000002.301092213.0000000006510000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 0000000A.00000002.282775886.0000000003591000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCdmugmphdzemkomhbdp.dllH vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 0000000A.00000002.282461490.000000000266F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameclrjit.dllT vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 0000000A.00000002.282461490.000000000266F000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 0000000C.00000002.302461302.0000000005320000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 0000000C.00000000.274586312.00000000009BA000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamenputty.exe0 vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 0000000C.00000002.301106793.0000000003DA9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 0000000C.00000002.301106793.0000000003DA9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 0000000C.00000002.301106793.0000000003DA9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exeBinary or memory string: OriginalFilenamenputty.exe0 vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
      Source: 12.2.IDeVaZ8ESy.exe.3df0614.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.IDeVaZ8ESy.exe.3df0614.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.IDeVaZ8ESy.exe.3df0614.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.IDeVaZ8ESy.exe.3df0614.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.IDeVaZ8ESy.exe.2739974.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.IDeVaZ8ESy.exe.2739974.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.IDeVaZ8ESy.exe.2739974.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.IDeVaZ8ESy.exe.2739974.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.IDeVaZ8ESy.exe.2739974.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.IDeVaZ8ESy.exe.2739974.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.IDeVaZ8ESy.exe.3df4c3d.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.IDeVaZ8ESy.exe.3df4c3d.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.IDeVaZ8ESy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.IDeVaZ8ESy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.IDeVaZ8ESy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.IDeVaZ8ESy.exe.3deb7de.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.IDeVaZ8ESy.exe.3deb7de.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.IDeVaZ8ESy.exe.3deb7de.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.IDeVaZ8ESy.exe.2e09668.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.IDeVaZ8ESy.exe.2e09668.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000002.298170775.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.298170775.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000002.282656161.00000000026F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.282656161.00000000026F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.253550747.00000000043C7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.253550747.00000000043C7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.253253129.0000000004327000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.253253129.0000000004327000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000C.00000002.301106793.0000000003DA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000002.284916631.0000000003A3A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.284916631.0000000003A3A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000002.286367927.0000000003AD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.286367927.0000000003AD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000C.00000002.300993191.0000000002DA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: IDeVaZ8ESy.exe PID: 5972, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: IDeVaZ8ESy.exe PID: 5972, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: IDeVaZ8ESy.exe PID: 5976, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: IDeVaZ8ESy.exe PID: 5976, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: IDeVaZ8ESy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: IDeVaZ8ESy.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: 12.2.IDeVaZ8ESy.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 12.2.IDeVaZ8ESy.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 12.2.IDeVaZ8ESy.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: classification engineClassification label: mal100.troj.evad.winEXE@11/9@16/1
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IDeVaZ8ESy.exe.logJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{0bb207a5-6f92-4ff1-abb5-35e0dc25fe5d}
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2476:120:WilError_01
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeFile created: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeJump to behavior
      Source: IDeVaZ8ESy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: IDeVaZ8ESy.exeVirustotal: Detection: 23%
      Source: IDeVaZ8ESy.exeMetadefender: Detection: 20%
      Source: IDeVaZ8ESy.exeReversingLabs: Detection: 32%
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeFile read: C:\Users\user\Desktop\IDeVaZ8ESy.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\IDeVaZ8ESy.exe 'C:\Users\user\Desktop\IDeVaZ8ESy.exe'
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess created: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess created: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpBB0F.tmp'
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe 0
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess created: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess created: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess created: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpBB0F.tmp'
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess created: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
      Source: IDeVaZ8ESy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: IDeVaZ8ESy.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: 12.2.IDeVaZ8ESy.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 12.2.IDeVaZ8ESy.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeCode function: 10_2_06553A80 push es; ret
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeCode function: 10_2_065538BD push es; ret
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeCode function: 10_2_0703350E push edi; retf
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeCode function: 10_2_070334C9 pushfd ; retf
      Source: 12.2.IDeVaZ8ESy.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 12.2.IDeVaZ8ESy.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeFile created: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeJump to dropped file

      Boot Survival:

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpBB0F.tmp'

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeFile opened: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe:Zone.Identifier read attributes | delete
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: IDeVaZ8ESy.exe, 00000001.00000002.252510635.0000000003271000.00000004.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.282461490.000000000266F000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWindow / User API: threadDelayed 3532
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWindow / User API: threadDelayed 5665
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWindow / User API: foregroundWindowGot 633
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWindow / User API: foregroundWindowGot 756
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exe TID: 4736Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe TID: 5800Thread sleep time: -10145709240540247s >= -30000s
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe TID: 2792Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe TID: 1236Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeThread delayed: delay time: 922337203685477
      Source: IDeVaZ8ESy.exe, 0000000A.00000002.282461490.000000000266F000.00000004.00000001.sdmpBinary or memory string: 0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
      Source: IDeVaZ8ESy.exeBinary or memory string: O0PB48cIQE+Aahd/1wcPs5nkxCd3ttVD96nPUhBrCftt+ytj6cvcNmeDFcluzQy/p0Ha64AQYO16w0HKrg0qr\7g8bgP8Xu1h1nv9xcs8Fyehy6TwKJ6FeWfkcQLwPeXAxLK2tBpWVfX1z6gHOBOdSOCjr6Ct0VakG2jqVwRLvj9Ylh1kRgf3svkI0Fn\7QoePt/T3ZHgFso+OCTK5CkyBusGDQEIUIMHZ68DsDwYJT2NoBkByDrO8LQIfYCy8d2IAUp
      Source: IDeVaZ8ESy.exe, 0000000A.00000002.282461490.000000000266F000.00000004.00000001.sdmpBinary or memory string: vmware
      Source: IDeVaZ8ESy.exeBinary or memory string: YYBYAAAEIANxuL4gAgAAAGMgfUTToVkgw9faTWGAWQAAB\7CC76T5QIPsF2iRhILtpL5phIC7sQpVhgFoAAAQgUiHGqmZlIFMhxqphgFsAAAQgenMfbyD3kvwFWCAEAAAAYiAQZ8BRYYBcAAAEID\7aIoItlIAQAAABjIHz3RQdhgF0AAAQgI+rDuCD+kzKnWSAlVpERYYBeAAAEIORvO5ZlIMAsawZhgF8AAAQgvS4RniDBMp55WSAyhFw\75WCAugM
      Source: IDeVaZ8ESy.exeBinary or memory string: xGMLd4jB4kXoMR2iPOZ6vuQE10mq98lihjE0p\7cigdT8KCHhTKSSYuReIA7oXg85RsJdHIgHsBaZJ8Hr/E5eqWbiSTYim965lo0jpzjX//L6DJzwUv46CW7DHaWY7OKT592QSu/bTKq\7a9YYtjXr1X2MeuIt+oz3A6DuVu9zLPI9wnXuMcG0s4Y4KJFC0JW4bJOBc9giLBAXozcpc0a2fozV+qEMufcmI0+OnLfcentgntiUN\7FgHoLzYhFlswcSY
      Source: IDeVaZ8ESy.exe, 0000000A.00000002.282461490.000000000266F000.00000004.00000001.sdmpBinary or memory string: model0Microsoft|VMWare|Virtual
      Source: IDeVaZ8ESy.exe, 00000006.00000003.322069086.00000000010B8000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information queried: ProcessInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess token adjusted: Debug
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess token adjusted: Debug
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeMemory allocated: page read and write | page guard

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Injects a PE file into a foreign processesShow sources
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeMemory written: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe base: 400000 value starts with: 4D5A
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeMemory written: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe base: 400000 value starts with: 4D5A
      Writes to foreign memory regionsShow sources
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeMemory written: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe base: 400000
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeMemory written: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe base: 402000
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeMemory written: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe base: 420000
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeMemory written: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe base: 422000
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeMemory written: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe base: A3B008
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess created: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess created: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpBB0F.tmp'
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess created: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Users\user\Desktop\IDeVaZ8ESy.exe VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeQueries volume information: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeQueries volume information: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeQueries volume information: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

      Stealing of Sensitive Information:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.3df0614.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.3df0614.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.3df4c3d.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.3deb7de.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000C.00000002.298170775.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.253550747.00000000043C7000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.253253129.0000000004327000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.301106793.0000000003DA9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.284916631.0000000003A3A000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.286367927.0000000003AD9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.300993191.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: IDeVaZ8ESy.exe PID: 5972, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: IDeVaZ8ESy.exe PID: 5976, type: MEMORY

      Remote Access Functionality:

      barindex
      Detected Nanocore RatShow sources
      Source: IDeVaZ8ESy.exe, 00000001.00000002.253550747.00000000043C7000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: IDeVaZ8ESy.exe, 00000006.00000003.262207809.00000000010D7000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: IDeVaZ8ESy.exe, 0000000A.00000002.282656161.00000000026F2000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: IDeVaZ8ESy.exe, 0000000C.00000002.298170775.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: IDeVaZ8ESy.exe, 0000000C.00000002.301106793.0000000003DA9000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.3df0614.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.3df0614.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.3df4c3d.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.3deb7de.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000C.00000002.298170775.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.253550747.00000000043C7000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.253253129.0000000004327000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.301106793.0000000003DA9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.284916631.0000000003A3A000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.286367927.0000000003AD9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.300993191.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: IDeVaZ8ESy.exe PID: 5972, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: IDeVaZ8ESy.exe PID: 5976, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Process Injection211Masquerading1Input Capture11Query Registry1Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemorySecurity Software Discovery211Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection211NTDSVirtualization/Sandbox Evasion21Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing12Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 452411 Sample: IDeVaZ8ESy.exe Startdate: 22/07/2021 Architecture: WINDOWS Score: 100 38 asweee.jumpingcrab.com 2->38 50 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 8 other signatures 2->56 9 IDeVaZ8ESy.exe 5 2->9         started        13 IDeVaZ8ESy.exe 2 2->13         started        signatures3 process4 file5 32 C:\Users\user\AppData\...\IDeVaZ8ESy.exe, PE32 9->32 dropped 34 C:\Users\...\IDeVaZ8ESy.exe:Zone.Identifier, ASCII 9->34 dropped 36 C:\Users\user\AppData\...\IDeVaZ8ESy.exe.log, ASCII 9->36 dropped 58 Writes to foreign memory regions 9->58 60 Injects a PE file into a foreign processes 9->60 15 IDeVaZ8ESy.exe 11 9->15         started        20 IDeVaZ8ESy.exe 9->20         started        22 IDeVaZ8ESy.exe 2 13->22         started        signatures6 process7 dnsIp8 40 asweee.jumpingcrab.com 37.0.8.214, 49709, 49722, 49723 WKD-ASIE Netherlands 15->40 28 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 15->28 dropped 30 C:\Users\user\AppData\Local\...\tmpBB0F.tmp, XML 15->30 dropped 42 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->42 24 schtasks.exe 1 15->24         started        44 Multi AV Scanner detection for dropped file 20->44 46 Machine Learning detection for dropped file 20->46 48 Uses schtasks.exe or at.exe to add and modify task schedules 20->48 file9 signatures10 process11 process12 26 conhost.exe 24->26         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      IDeVaZ8ESy.exe24%VirustotalBrowse
      IDeVaZ8ESy.exe23%MetadefenderBrowse
      IDeVaZ8ESy.exe32%ReversingLabsByteCode-MSIL.Coinminer.BitCoinMiner
      IDeVaZ8ESy.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe24%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe23%MetadefenderBrowse
      C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe32%ReversingLabsByteCode-MSIL.Coinminer.BitCoinMiner

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      12.2.IDeVaZ8ESy.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

      Domains

      SourceDetectionScannerLabelLink
      asweee.jumpingcrab.com4%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      asweee.jumpingcrab.com4%VirustotalBrowse
      asweee.jumpingcrab.com0%Avira URL Cloudsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      tryweaswweee.ydns.eu2%VirustotalBrowse
      tryweaswweee.ydns.eu0%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      asweee.jumpingcrab.com
      37.0.8.214
      truetrueunknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      asweee.jumpingcrab.comtrue
      • 4%, Virustotal, Browse
      • Avira URL Cloud: safe
      unknown
      tryweaswweee.ydns.eutrue
      • 2%, Virustotal, Browse
      • Avira URL Cloud: safe
      unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://www.apache.org/licenses/LICENSE-2.0IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
        high
        http://www.fontbureau.comIDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
          high
          http://www.fontbureau.com/designersGIDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
            high
            http://www.fontbureau.com/designers/?IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
              high
              http://www.founder.com.cn/cn/bTheIDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              http://www.fontbureau.com/designers?IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
                high
                http://www.tiro.comIDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.fontbureau.com/designersIDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
                  high
                  http://www.goodfont.co.krIDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.carterandcone.comlIDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.sajatypeworks.comIDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.typography.netDIDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.fontbureau.com/designers/cabarga.htmlNIDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
                    high
                    http://www.founder.com.cn/cn/cTheIDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://www.galapagosdesign.com/staff/dennis.htmIDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://fontfabrik.comIDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://www.founder.com.cn/cnIDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://www.fontbureau.com/designers/frere-jones.htmlIDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
                      high
                      http://www.jiyu-kobo.co.jp/IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.galapagosdesign.com/DPleaseIDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.fontbureau.com/designers8IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
                        high
                        http://www.fonts.comIDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
                          high
                          http://www.sandoll.co.krIDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.urwpp.deDPleaseIDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.zhongyicts.com.cnIDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.sakkal.comIDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown

                          Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public

                          IPDomainCountryFlagASNASN NameMalicious
                          37.0.8.214
                          asweee.jumpingcrab.comNetherlands
                          198301WKD-ASIEtrue

                          General Information

                          Joe Sandbox Version:33.0.0 White Diamond
                          Analysis ID:452411
                          Start date:22.07.2021
                          Start time:10:11:18
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 12m 57s
                          Hypervisor based Inspection enabled:false
                          Report type:light
                          Sample file name:IDeVaZ8ESy.exe
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                          Number of analysed new started processes analysed:29
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@11/9@16/1
                          EGA Information:Failed
                          HDC Information:Failed
                          HCA Information:
                          • Successful, ratio: 95%
                          • Number of executed functions: 0
                          • Number of non-executed functions: 0
                          Cookbook Comments:
                          • Adjust boot time
                          • Enable AMSI
                          • Found application associated with file extension: .exe
                          Warnings:
                          Show All
                          • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                          • TCP Packets have been reduced to 100
                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                          • Excluded IPs from analysis (whitelisted): 23.211.6.115, 52.147.198.201, 13.88.21.125, 23.211.4.86, 40.88.32.150, 20.50.102.62, 173.222.108.226, 173.222.108.210, 40.112.88.60, 80.67.82.211, 80.67.82.235, 20.82.209.183
                          • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          10:12:13API Interceptor903x Sleep call for process: IDeVaZ8ESy.exe modified
                          10:12:32Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe" s>$(Arg0)

                          Joe Sandbox View / Context

                          IPs

                          No context

                          Domains

                          No context

                          ASN

                          No context

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IDeVaZ8ESy.exe.log
                          Process:C:\Users\user\Desktop\IDeVaZ8ESy.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:modified
                          Size (bytes):1119
                          Entropy (8bit):5.356708753875314
                          Encrypted:false
                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzd
                          MD5:3197B1D4714B56F2A6AC9E83761739AE
                          SHA1:3B38010F0DF51C1D4D2C020138202DABB686741D
                          SHA-256:40586572180B85042FEFED9F367B43831C5D269751D9F3940BBC29B41E18E9F6
                          SHA-512:58EC975A53AD9B19B425F6C6843A94CC280F794D436BBF3D29D8B76CA1E8C2D8883B3E754F9D4F2C9E9387FE88825CCD9919369A5446B1AFF73EDBE07FA94D88
                          Malicious:true
                          Reputation:unknown
                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                          C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe
                          Process:C:\Users\user\Desktop\IDeVaZ8ESy.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):565248
                          Entropy (8bit):6.2839101385440355
                          Encrypted:false
                          SSDEEP:12288:3FBH6YCzj8MFiAInR2MDDT/lgCc+zElDiUQm:1/Czjli14m8ym
                          MD5:B0876B8DA9DCB8A3B22D2CBF2B6A4711
                          SHA1:80E619DA78E64BF6845F284C50BFACF17C55A274
                          SHA-256:D6215A4B16D74DB6DAFC28A78F15885DE77570347ACFBAC416F18B223BA08E26
                          SHA-512:3B52E3ABA69434D0B13E26B359F28493C303593BFDB254D86D3F91F7BFDE8F318BB11FFB3A9EE26547EE389EF181EB61E863E2060F2A950F6EBF0AF94D26A146
                          Malicious:true
                          Antivirus:
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: Virustotal, Detection: 24%, Browse
                          • Antivirus: Metadefender, Detection: 23%, Browse
                          • Antivirus: ReversingLabs, Detection: 32%
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...t .`.................l...2......2.... ........@.. ....................................@....................................W.......</........................................................................... ............... ..H............text...8j... ...l.................. ..`.rsrc...</.......0...n..............@..@.reloc..............................@..B........................H........n..0....... ....1...=...........................................0.............-.&(....+.&+.*....0..........s....(....t.....-.&+......+.*....~....*..0..%........(.......-.&&...-.&&+.}....+.}....+.*....0..\........(.... .U...-.&.s.....,.&&(....~....%-/+.(....+.}....+.&~..........s....%.-.&+......+.o....*.0..).........s.....-.&..(....-.+..+..{.....o.....*.*....0..$.........(.....-.&.,.+..+..{.....o....&.*.*.0.............-.&{.......-.&o....+.&+.&+.*..0.............-.&{.
                          C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe:Zone.Identifier
                          Process:C:\Users\user\Desktop\IDeVaZ8ESy.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:true
                          Reputation:unknown
                          Preview: [ZoneTransfer]....ZoneId=0
                          C:\Users\user\AppData\Local\Temp\tmpBB0F.tmp
                          Process:C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe
                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):1311
                          Entropy (8bit):5.12366956692759
                          Encrypted:false
                          SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0aLxtn:cbk4oL600QydbQxIYODOLedq3BLj
                          MD5:48241E0061B6E8208F2B28FF3896C16B
                          SHA1:7A3C99770473C1F92E22D5CF3666E84F23815F10
                          SHA-256:2C2AF82671F7D1F7835E843CFFD29F4FA334B997649BA0E823A4C532B62DD6CC
                          SHA-512:CB9640388D552237FE1BAA52CEC19ABAD2E18FDFB229B43B0B42F5E42E86CA519F496F074F86BE3CD28428EDC8ACC6067099030FC7E3A64430B5500302AD0551
                          Malicious:true
                          Reputation:unknown
                          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                          Process:C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):1856
                          Entropy (8bit):7.024371743172393
                          Encrypted:false
                          SSDEEP:48:Ik/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrw8:flC0IlC0IlC0IlC0IlC0IlC0IlC0IlCr
                          MD5:838CD9DBC78EA45A5406EAE23962086D
                          SHA1:C8273AACDEE03AC0CDCDDBAA83F51D04D6A4203C
                          SHA-256:6E11A62511C5BBC0413128305069B780C448684B54FAA3E8DD0B4FD3DB8C9867
                          SHA-512:F7D25EF1FA6F50667DD6785CC774E0AA6BC52A2231FE96E7C59D14EFDFDDA076F6399288CF6EAC8EFA8A75727893432AA155DA0E392F8CD1F26C5C5871EAC6B5
                          Malicious:false
                          Reputation:unknown
                          Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                          Process:C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe
                          File Type:ISO-8859 text, with no line terminators
                          Category:dropped
                          Size (bytes):8
                          Entropy (8bit):3.0
                          Encrypted:false
                          SSDEEP:3:Zt:T
                          MD5:B298CDF095904A184461B5CF41DDBFD8
                          SHA1:7CD28EFCCF3896A7B1F29BD5FA141BCA4D987155
                          SHA-256:EB5E8C19784EECC2DCC1C974116E21E3E45A89331D8BE9F929CEB4F0120A7249
                          SHA-512:54C3E4B2E17403899C500FB01D2A2F97273B36A658145314FBE70BED2B8794F8398A39FD90D0C30AAAD4EB46251781A396551BADCE244DFE49D36171A010BE44
                          Malicious:true
                          Reputation:unknown
                          Preview: ..l.3M.H
                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                          Process:C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):40
                          Entropy (8bit):5.153055907333276
                          Encrypted:false
                          SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                          MD5:4E5E92E2369688041CC82EF9650EDED2
                          SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                          SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                          SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                          Malicious:false
                          Reputation:unknown
                          Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                          Process:C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):327432
                          Entropy (8bit):7.99938831605763
                          Encrypted:true
                          SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                          MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                          SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                          SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                          SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                          Malicious:false
                          Reputation:unknown
                          Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                          Process:C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):48
                          Entropy (8bit):4.55404701206774
                          Encrypted:false
                          SSDEEP:3:oNWXp5cViE2J5xAIs6AC:oNWXp+N23fz
                          MD5:6A1470C263611221341BBA42E51B85CE
                          SHA1:9F136F89C8F6C8D9238AD5BC4BE00662B7C8BDDC
                          SHA-256:771EAEEC47531B823EADBCD3E95EA80AA1D634848CA506B23FE3884C0279C7EE
                          SHA-512:3BA49F78789234C6BC16E5FD7FF9D693B342AF30B3829A46438A30818DEAC00F71F4FA98538EDA74ABA21CF868ED947E1E3C2A833567D6E71D0BBBE17126BFB4
                          Malicious:false
                          Reputation:unknown
                          Preview: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Entropy (8bit):6.2839101385440355
                          TrID:
                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                          • Win32 Executable (generic) a (10002005/4) 49.78%
                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                          • Generic Win/DOS Executable (2004/3) 0.01%
                          • DOS Executable Generic (2002/1) 0.01%
                          File name:IDeVaZ8ESy.exe
                          File size:565248
                          MD5:b0876b8da9dcb8a3b22d2cbf2b6a4711
                          SHA1:80e619da78e64bf6845f284c50bfacf17c55a274
                          SHA256:d6215a4b16d74db6dafc28a78f15885de77570347acfbac416f18b223ba08e26
                          SHA512:3b52e3aba69434d0b13e26b359f28493c303593bfdb254d86d3f91f7bfde8f318bb11ffb3a9ee26547ee389ef181eb61e863e2060f2a950f6ebf0af94d26a146
                          SSDEEP:12288:3FBH6YCzj8MFiAInR2MDDT/lgCc+zElDiUQm:1/Czjli14m8ym
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...t .`.................l...2......2.... ........@.. ....................................@................................

                          File Icon

                          Icon Hash:499669d8d82916a8

                          Static PE Info

                          General

                          Entrypoint:0x488a32
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                          Time Stamp:0x60F82074 [Wed Jul 21 13:26:12 2021 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:v4.0.30319
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                          Entrypoint Preview

                          Instruction
                          jmp dword ptr [00402000h]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x889d80x57.text
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x8a0000x2f3c.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x8e0000xc.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x20000x86a380x86c00False0.746072008349data6.20385416645IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                          .rsrc0x8a0000x2f3c0x3000False0.69677734375data6.71663956615IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0x8e0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountry
                          RT_ICON0x8a1f00x1b8ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                          RT_ICON0x8bd800x668dBase III DBT, version number 0, next free block index 40
                          RT_ICON0x8c3e80x2e8data
                          RT_ICON0x8c6d00x1e8data
                          RT_ICON0x8c8b80x128GLS_BINARY_LSB_FIRST
                          RT_GROUP_ICON0x8c9e00x4cdata
                          RT_VERSION0x8ca2c0x35cdata
                          RT_MANIFEST0x8cd880x1b4XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

                          Imports

                          DLLImport
                          mscoree.dll_CorExeMain

                          Version Infos

                          DescriptionData
                          Translation0x0000 0x04b0
                          LegalCopyright(C) 2021 AnyDesk Software GmbH
                          Assembly Version6.3.2.0
                          InternalNamenputty.exe
                          FileVersion6.3.2.0
                          CompanyNameAnyDesk Software GmbH
                          LegalTrademarks
                          CommentsAnyDesk
                          ProductNameAnyDesk
                          ProductVersion6.3.2.0
                          FileDescriptionAnyDesk
                          OriginalFilenamenputty.exe

                          Network Behavior

                          Snort IDS Alerts

                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                          07/22/21-10:12:33.217914TCP2025019ET TROJAN Possible NanoCore C2 60B497098234192.168.2.337.0.8.214
                          07/22/21-10:12:40.509972TCP2025019ET TROJAN Possible NanoCore C2 60B497228234192.168.2.337.0.8.214
                          07/22/21-10:12:48.555142TCP2025019ET TROJAN Possible NanoCore C2 60B497238234192.168.2.337.0.8.214
                          07/22/21-10:12:55.373984TCP2025019ET TROJAN Possible NanoCore C2 60B497278234192.168.2.337.0.8.214
                          07/22/21-10:13:02.137554TCP2025019ET TROJAN Possible NanoCore C2 60B497308234192.168.2.337.0.8.214
                          07/22/21-10:13:09.462872TCP2025019ET TROJAN Possible NanoCore C2 60B497318234192.168.2.337.0.8.214
                          07/22/21-10:13:16.164647TCP2025019ET TROJAN Possible NanoCore C2 60B497338234192.168.2.337.0.8.214
                          07/22/21-10:13:23.046489TCP2025019ET TROJAN Possible NanoCore C2 60B497368234192.168.2.337.0.8.214
                          07/22/21-10:13:31.366337TCP2025019ET TROJAN Possible NanoCore C2 60B497378234192.168.2.337.0.8.214
                          07/22/21-10:13:38.273686TCP2025019ET TROJAN Possible NanoCore C2 60B497388234192.168.2.337.0.8.214
                          07/22/21-10:13:44.446402TCP2025019ET TROJAN Possible NanoCore C2 60B497398234192.168.2.337.0.8.214
                          07/22/21-10:13:51.623633TCP2025019ET TROJAN Possible NanoCore C2 60B497418234192.168.2.337.0.8.214
                          07/22/21-10:13:57.692526TCP2025019ET TROJAN Possible NanoCore C2 60B497438234192.168.2.337.0.8.214
                          07/22/21-10:14:05.154406TCP2025019ET TROJAN Possible NanoCore C2 60B497448234192.168.2.337.0.8.214
                          07/22/21-10:14:12.712032TCP2025019ET TROJAN Possible NanoCore C2 60B497458234192.168.2.337.0.8.214
                          07/22/21-10:14:18.043589TCP2025019ET TROJAN Possible NanoCore C2 60B497468234192.168.2.337.0.8.214

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Jul 22, 2021 10:12:33.089236021 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.142811060 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.145814896 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.217914104 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.292243958 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.303235054 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.364623070 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.394793987 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.470685005 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.563316107 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.563430071 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.563493967 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.563508034 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.563519955 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.563560963 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.618494987 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.618532896 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.618556023 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.618583918 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.618638992 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.618664026 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.618688107 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.618686914 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.618710995 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.618750095 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.618771076 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.618774891 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.672164917 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.672214031 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.672239065 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.672262907 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.672285080 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.672288895 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.672307968 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.672317028 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.672333002 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.672346115 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.672362089 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.672385931 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.672405005 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.672409058 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.672432899 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.672456980 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.672460079 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.672481060 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.672504902 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.672508955 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.672528028 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.672554016 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.672555923 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.672602892 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.740875959 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.740926981 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.740947962 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.740972996 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.740995884 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741002083 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.741019011 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741034031 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.741044044 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741069078 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741074085 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.741096973 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741121054 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741144896 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741146088 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.741170883 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741179943 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.741195917 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741209984 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.741215944 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741238117 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741261959 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741262913 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.741293907 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741307020 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.741319895 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741343975 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741369963 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741394043 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741403103 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.741420031 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741445065 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741451979 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.741470098 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741472960 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.741497993 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741513968 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.741520882 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741543055 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741568089 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741585970 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.741594076 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741616964 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741626978 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.741641998 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741656065 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.741666079 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741715908 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.796605110 CEST82344970937.0.8.214192.168.2.3

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Jul 22, 2021 10:12:04.483680964 CEST4919953192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:04.544792891 CEST53491998.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:17.474087000 CEST5062053192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:17.527877092 CEST53506208.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:18.381427050 CEST6493853192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:18.433568954 CEST53649388.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:19.729363918 CEST6015253192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:19.781308889 CEST53601528.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:20.862613916 CEST5754453192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:20.911739111 CEST53575448.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:29.784545898 CEST5598453192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:29.836622953 CEST53559848.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:30.934617043 CEST6418553192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:30.987359047 CEST53641858.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:31.743467093 CEST6511053192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:31.792503119 CEST53651108.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:32.683058023 CEST5836153192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:32.735102892 CEST53583618.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:32.898813009 CEST6349253192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:33.077167034 CEST53634928.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:33.553186893 CEST6083153192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:33.603641033 CEST53608318.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:34.740466118 CEST6010053192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:34.789644003 CEST53601008.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:35.512552977 CEST5319553192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:35.571091890 CEST53531958.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:35.966790915 CEST5014153192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:36.024133921 CEST53501418.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:36.834734917 CEST5302353192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:36.887063026 CEST53530238.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:37.900320053 CEST4956353192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:37.952675104 CEST53495638.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:38.714679003 CEST5135253192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:38.766938925 CEST53513528.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:39.834132910 CEST5934953192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:39.897793055 CEST53593498.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:40.028800964 CEST5708453192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:40.081362963 CEST53570848.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:40.395188093 CEST5882353192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:40.454894066 CEST53588238.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:48.051269054 CEST5756853192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:48.132077932 CEST53575688.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:53.429100037 CEST5054053192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:53.479486942 CEST53505408.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:54.279499054 CEST5436653192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:54.337770939 CEST53543668.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:55.132555008 CEST5303453192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:55.192229986 CEST53530348.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:55.243602991 CEST5776253192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:55.300825119 CEST53577628.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:56.994220972 CEST5543553192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:57.054982901 CEST53554358.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:57.147958040 CEST5071353192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:57.207802057 CEST53507138.8.8.8192.168.2.3
                          Jul 22, 2021 10:13:02.021925926 CEST5613253192.168.2.38.8.8.8
                          Jul 22, 2021 10:13:02.082191944 CEST53561328.8.8.8192.168.2.3
                          Jul 22, 2021 10:13:09.345129013 CEST5898753192.168.2.38.8.8.8
                          Jul 22, 2021 10:13:09.402096987 CEST53589878.8.8.8192.168.2.3
                          Jul 22, 2021 10:13:15.068753004 CEST5657953192.168.2.38.8.8.8
                          Jul 22, 2021 10:13:15.136583090 CEST53565798.8.8.8192.168.2.3
                          Jul 22, 2021 10:13:15.940887928 CEST6063353192.168.2.38.8.8.8
                          Jul 22, 2021 10:13:16.108418941 CEST53606338.8.8.8192.168.2.3
                          Jul 22, 2021 10:13:18.308175087 CEST6129253192.168.2.38.8.8.8
                          Jul 22, 2021 10:13:18.367202044 CEST53612928.8.8.8192.168.2.3
                          Jul 22, 2021 10:13:22.932476044 CEST6361953192.168.2.38.8.8.8
                          Jul 22, 2021 10:13:22.989346027 CEST53636198.8.8.8192.168.2.3
                          Jul 22, 2021 10:13:31.250138044 CEST6493853192.168.2.38.8.8.8
                          Jul 22, 2021 10:13:31.309767962 CEST53649388.8.8.8192.168.2.3
                          Jul 22, 2021 10:13:38.157721996 CEST6194653192.168.2.38.8.8.8
                          Jul 22, 2021 10:13:38.214937925 CEST53619468.8.8.8192.168.2.3
                          Jul 22, 2021 10:13:44.280306101 CEST6491053192.168.2.38.8.8.8
                          Jul 22, 2021 10:13:44.338745117 CEST53649108.8.8.8192.168.2.3
                          Jul 22, 2021 10:13:50.347492933 CEST5212353192.168.2.38.8.8.8
                          Jul 22, 2021 10:13:50.419574022 CEST53521238.8.8.8192.168.2.3
                          Jul 22, 2021 10:13:51.347198963 CEST5613053192.168.2.38.8.8.8
                          Jul 22, 2021 10:13:51.418507099 CEST53561308.8.8.8192.168.2.3
                          Jul 22, 2021 10:13:52.124183893 CEST5633853192.168.2.38.8.8.8
                          Jul 22, 2021 10:13:52.182318926 CEST53563388.8.8.8192.168.2.3
                          Jul 22, 2021 10:13:57.575160980 CEST5942053192.168.2.38.8.8.8
                          Jul 22, 2021 10:13:57.634875059 CEST53594208.8.8.8192.168.2.3
                          Jul 22, 2021 10:14:04.869976997 CEST5878453192.168.2.38.8.8.8
                          Jul 22, 2021 10:14:04.928997993 CEST53587848.8.8.8192.168.2.3
                          Jul 22, 2021 10:14:12.535176992 CEST6397853192.168.2.38.8.8.8
                          Jul 22, 2021 10:14:12.603715897 CEST53639788.8.8.8192.168.2.3
                          Jul 22, 2021 10:14:17.928350925 CEST6293853192.168.2.38.8.8.8
                          Jul 22, 2021 10:14:17.980721951 CEST53629388.8.8.8192.168.2.3

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                          Jul 22, 2021 10:12:32.898813009 CEST192.168.2.38.8.8.80x2bc0Standard query (0)asweee.jumpingcrab.comA (IP address)IN (0x0001)
                          Jul 22, 2021 10:12:40.395188093 CEST192.168.2.38.8.8.80x3636Standard query (0)asweee.jumpingcrab.comA (IP address)IN (0x0001)
                          Jul 22, 2021 10:12:48.051269054 CEST192.168.2.38.8.8.80xd70cStandard query (0)asweee.jumpingcrab.comA (IP address)IN (0x0001)
                          Jul 22, 2021 10:12:55.243602991 CEST192.168.2.38.8.8.80xb15cStandard query (0)asweee.jumpingcrab.comA (IP address)IN (0x0001)
                          Jul 22, 2021 10:13:02.021925926 CEST192.168.2.38.8.8.80x2265Standard query (0)asweee.jumpingcrab.comA (IP address)IN (0x0001)
                          Jul 22, 2021 10:13:09.345129013 CEST192.168.2.38.8.8.80xb607Standard query (0)asweee.jumpingcrab.comA (IP address)IN (0x0001)
                          Jul 22, 2021 10:13:15.940887928 CEST192.168.2.38.8.8.80xea1eStandard query (0)asweee.jumpingcrab.comA (IP address)IN (0x0001)
                          Jul 22, 2021 10:13:22.932476044 CEST192.168.2.38.8.8.80x5485Standard query (0)asweee.jumpingcrab.comA (IP address)IN (0x0001)
                          Jul 22, 2021 10:13:31.250138044 CEST192.168.2.38.8.8.80xf29fStandard query (0)asweee.jumpingcrab.comA (IP address)IN (0x0001)
                          Jul 22, 2021 10:13:38.157721996 CEST192.168.2.38.8.8.80x4ef7Standard query (0)asweee.jumpingcrab.comA (IP address)IN (0x0001)
                          Jul 22, 2021 10:13:44.280306101 CEST192.168.2.38.8.8.80x6d0aStandard query (0)asweee.jumpingcrab.comA (IP address)IN (0x0001)
                          Jul 22, 2021 10:13:51.347198963 CEST192.168.2.38.8.8.80xb158Standard query (0)asweee.jumpingcrab.comA (IP address)IN (0x0001)
                          Jul 22, 2021 10:13:57.575160980 CEST192.168.2.38.8.8.80xa0aaStandard query (0)asweee.jumpingcrab.comA (IP address)IN (0x0001)
                          Jul 22, 2021 10:14:04.869976997 CEST192.168.2.38.8.8.80xf64eStandard query (0)asweee.jumpingcrab.comA (IP address)IN (0x0001)
                          Jul 22, 2021 10:14:12.535176992 CEST192.168.2.38.8.8.80xf46bStandard query (0)asweee.jumpingcrab.comA (IP address)IN (0x0001)
                          Jul 22, 2021 10:14:17.928350925 CEST192.168.2.38.8.8.80x918fStandard query (0)asweee.jumpingcrab.comA (IP address)IN (0x0001)

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                          Jul 22, 2021 10:12:33.077167034 CEST8.8.8.8192.168.2.30x2bc0No error (0)asweee.jumpingcrab.com37.0.8.214A (IP address)IN (0x0001)
                          Jul 22, 2021 10:12:40.454894066 CEST8.8.8.8192.168.2.30x3636No error (0)asweee.jumpingcrab.com37.0.8.214A (IP address)IN (0x0001)
                          Jul 22, 2021 10:12:48.132077932 CEST8.8.8.8192.168.2.30xd70cNo error (0)asweee.jumpingcrab.com37.0.8.214A (IP address)IN (0x0001)
                          Jul 22, 2021 10:12:55.300825119 CEST8.8.8.8192.168.2.30xb15cNo error (0)asweee.jumpingcrab.com37.0.8.214A (IP address)IN (0x0001)
                          Jul 22, 2021 10:13:02.082191944 CEST8.8.8.8192.168.2.30x2265No error (0)asweee.jumpingcrab.com37.0.8.214A (IP address)IN (0x0001)
                          Jul 22, 2021 10:13:09.402096987 CEST8.8.8.8192.168.2.30xb607No error (0)asweee.jumpingcrab.com37.0.8.214A (IP address)IN (0x0001)
                          Jul 22, 2021 10:13:16.108418941 CEST8.8.8.8192.168.2.30xea1eNo error (0)asweee.jumpingcrab.com37.0.8.214A (IP address)IN (0x0001)
                          Jul 22, 2021 10:13:22.989346027 CEST8.8.8.8192.168.2.30x5485No error (0)asweee.jumpingcrab.com37.0.8.214A (IP address)IN (0x0001)
                          Jul 22, 2021 10:13:31.309767962 CEST8.8.8.8192.168.2.30xf29fNo error (0)asweee.jumpingcrab.com37.0.8.214A (IP address)IN (0x0001)
                          Jul 22, 2021 10:13:38.214937925 CEST8.8.8.8192.168.2.30x4ef7No error (0)asweee.jumpingcrab.com37.0.8.214A (IP address)IN (0x0001)
                          Jul 22, 2021 10:13:44.338745117 CEST8.8.8.8192.168.2.30x6d0aNo error (0)asweee.jumpingcrab.com37.0.8.214A (IP address)IN (0x0001)
                          Jul 22, 2021 10:13:51.418507099 CEST8.8.8.8192.168.2.30xb158No error (0)asweee.jumpingcrab.com37.0.8.214A (IP address)IN (0x0001)
                          Jul 22, 2021 10:13:57.634875059 CEST8.8.8.8192.168.2.30xa0aaNo error (0)asweee.jumpingcrab.com37.0.8.214A (IP address)IN (0x0001)
                          Jul 22, 2021 10:14:04.928997993 CEST8.8.8.8192.168.2.30xf64eNo error (0)asweee.jumpingcrab.com37.0.8.214A (IP address)IN (0x0001)
                          Jul 22, 2021 10:14:12.603715897 CEST8.8.8.8192.168.2.30xf46bNo error (0)asweee.jumpingcrab.com37.0.8.214A (IP address)IN (0x0001)
                          Jul 22, 2021 10:14:17.980721951 CEST8.8.8.8192.168.2.30x918fNo error (0)asweee.jumpingcrab.com37.0.8.214A (IP address)IN (0x0001)

                          Code Manipulations

                          Statistics

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Start time:10:12:11
                          Start date:22/07/2021
                          Path:C:\Users\user\Desktop\IDeVaZ8ESy.exe
                          Wow64 process (32bit):true
                          Commandline:'C:\Users\user\Desktop\IDeVaZ8ESy.exe'
                          Imagebase:0xea0000
                          File size:565248 bytes
                          MD5 hash:B0876B8DA9DCB8A3B22D2CBF2B6A4711
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.253550747.00000000043C7000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.253550747.00000000043C7000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.253550747.00000000043C7000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.253253129.0000000004327000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.253253129.0000000004327000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.253253129.0000000004327000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          Reputation:low

                          General

                          Start time:10:12:25
                          Start date:22/07/2021
                          Path:C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe
                          Imagebase:0x2a0000
                          File size:565248 bytes
                          MD5 hash:B0876B8DA9DCB8A3B22D2CBF2B6A4711
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Antivirus matches:
                          • Detection: 100%, Joe Sandbox ML
                          • Detection: 24%, Virustotal, Browse
                          • Detection: 23%, Metadefender, Browse
                          • Detection: 32%, ReversingLabs
                          Reputation:low

                          General

                          Start time:10:12:27
                          Start date:22/07/2021
                          Path:C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe
                          Imagebase:0x8a0000
                          File size:565248 bytes
                          MD5 hash:B0876B8DA9DCB8A3B22D2CBF2B6A4711
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Reputation:low

                          General

                          Start time:10:12:30
                          Start date:22/07/2021
                          Path:C:\Windows\SysWOW64\schtasks.exe
                          Wow64 process (32bit):true
                          Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpBB0F.tmp'
                          Imagebase:0x930000
                          File size:185856 bytes
                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Start time:10:12:30
                          Start date:22/07/2021
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6b2800000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Start time:10:12:32
                          Start date:22/07/2021
                          Path:C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe 0
                          Imagebase:0xf0000
                          File size:565248 bytes
                          MD5 hash:B0876B8DA9DCB8A3B22D2CBF2B6A4711
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.282656161.00000000026F2000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.282656161.00000000026F2000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.284916631.0000000003A3A000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.284916631.0000000003A3A000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.284916631.0000000003A3A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.286367927.0000000003AD9000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.286367927.0000000003AD9000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.286367927.0000000003AD9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          Reputation:low

                          General

                          Start time:10:12:39
                          Start date:22/07/2021
                          Path:C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe
                          Imagebase:0x930000
                          File size:565248 bytes
                          MD5 hash:B0876B8DA9DCB8A3B22D2CBF2B6A4711
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.298170775.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.298170775.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.298170775.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.301106793.0000000003DA9000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.301106793.0000000003DA9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.300993191.0000000002DA1000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.300993191.0000000002DA1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          Reputation:low

                          Disassembly

                          Code Analysis

                          Reset < >