Loading ...

Play interactive tourEdit tour

Windows Analysis Report zrvAIscZsc

Overview

General Information

Sample Name:zrvAIscZsc (renamed file extension from none to exe)
Analysis ID:452693
MD5:e85a0e1e81acbcea6a0e10eeedf32f6d
SHA1:3c613a4d232645cccbc7c1d8a3a8afb54cd2d56c
SHA256:ae7399822ad5ef4d9bd2690df74f6f1b472103380be74fca33611ce7265ebc01
Tags:32exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • zrvAIscZsc.exe (PID: 2528 cmdline: 'C:\Users\user\Desktop\zrvAIscZsc.exe' MD5: E85A0E1E81ACBCEA6A0E10EEEDF32F6D)
    • schtasks.exe (PID: 5368 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JxCmQoa' /XML 'C:\Users\user\AppData\Local\Temp\tmp3A6D.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • zrvAIscZsc.exe (PID: 5388 cmdline: C:\Users\user\Desktop\zrvAIscZsc.exe MD5: E85A0E1E81ACBCEA6A0E10EEEDF32F6D)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "max.mccanna@metaltek.me", "Password": "GODGRACE12345", "Host": "mail.privateemail.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.488036302.0000000003020000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000B.00000002.488036302.0000000003020000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      0000000B.00000002.487381781.0000000002F71000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000B.00000002.487381781.0000000002F71000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0000000B.00000002.483340668.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            11.2.zrvAIscZsc.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              11.2.zrvAIscZsc.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security

                Sigma Overview

                No Sigma rule has matched

                Jbx Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: 11.2.zrvAIscZsc.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "max.mccanna@metaltek.me", "Password": "GODGRACE12345", "Host": "mail.privateemail.com"}
                Multi AV Scanner detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\JxCmQoa.exeReversingLabs: Detection: 23%
                Multi AV Scanner detection for submitted fileShow sources
                Source: zrvAIscZsc.exeVirustotal: Detection: 27%Perma Link
                Source: zrvAIscZsc.exeReversingLabs: Detection: 23%
                Machine Learning detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\JxCmQoa.exeJoe Sandbox ML: detected
                Machine Learning detection for sampleShow sources
                Source: zrvAIscZsc.exeJoe Sandbox ML: detected
                Source: 11.2.zrvAIscZsc.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: zrvAIscZsc.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                Source: zrvAIscZsc.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: zrvAIscZsc.exe, 0000000B.00000002.487381781.0000000002F71000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: zrvAIscZsc.exe, 0000000B.00000002.488554736.0000000003077000.00000004.00000001.sdmpString found in binary or memory: http://79RmqEvtn7PDwz03.net
                Source: zrvAIscZsc.exe, 0000000B.00000002.487381781.0000000002F71000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                Source: zrvAIscZsc.exe, 0000000B.00000002.487381781.0000000002F71000.00000004.00000001.sdmpString found in binary or memory: http://IXudBJ.com
                Source: zrvAIscZsc.exeString found in binary or memory: http://api.twitter.com/1/direct_messages.xml?since_id=
                Source: zrvAIscZsc.exe, 0000000B.00000002.492622308.0000000006AEF000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                Source: zrvAIscZsc.exe, 0000000B.00000002.492666022.0000000006B1F000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                Source: zrvAIscZsc.exe, 0000000B.00000002.492576417.0000000006AD0000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                Source: zrvAIscZsc.exe, 0000000B.00000002.488773380.00000000030AC000.00000004.00000001.sdmpString found in binary or memory: http://mail.privateemail.com
                Source: zrvAIscZsc.exe, 0000000B.00000002.492622308.0000000006AEF000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: zrvAIscZsc.exe, 0000000B.00000002.492576417.0000000006AD0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                Source: zrvAIscZsc.exeString found in binary or memory: http://twitter.com/statuses/user_timeline.xml?screen_name=
                Source: zrvAIscZsc.exe, 00000001.00000003.227071655.0000000005F05000.00000004.00000001.sdmp, zrvAIscZsc.exe, 00000001.00000003.227015943.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                Source: zrvAIscZsc.exe, 00000001.00000003.228028659.0000000005EFE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.co
                Source: zrvAIscZsc.exe, 00000001.00000003.228993958.0000000005EC7000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: zrvAIscZsc.exe, 00000001.00000003.228680755.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com.TTF
                Source: zrvAIscZsc.exe, 00000001.00000003.228993958.0000000005EC7000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/Eb
                Source: zrvAIscZsc.exe, 00000001.00000003.227982397.0000000005EFE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                Source: zrvAIscZsc.exe, 00000001.00000003.228318411.0000000005ED9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: zrvAIscZsc.exe, 00000001.00000003.228993958.0000000005EC7000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalic
                Source: zrvAIscZsc.exe, 00000001.00000003.228993958.0000000005EC7000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comony
                Source: zrvAIscZsc.exe, 00000001.00000003.228680755.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comwbb
                Source: zrvAIscZsc.exe, 00000001.00000003.221002353.0000000005EDB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                Source: zrvAIscZsc.exe, 00000001.00000003.223507856.0000000005EC7000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.c0n
                Source: zrvAIscZsc.exe, 00000001.00000003.223702967.0000000005EC8000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: zrvAIscZsc.exe, 00000001.00000003.223702967.0000000005EC8000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn(j
                Source: zrvAIscZsc.exe, 00000001.00000003.223702967.0000000005EC8000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn.k
                Source: zrvAIscZsc.exe, 00000001.00000003.223702967.0000000005EC8000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                Source: zrvAIscZsc.exe, 00000001.00000003.223702967.0000000005EC8000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn:k
                Source: zrvAIscZsc.exe, 00000001.00000003.223316502.0000000005ECE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnt
                Source: zrvAIscZsc.exe, 00000001.00000003.229533656.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/=bX
                Source: zrvAIscZsc.exe, 00000001.00000003.229415378.0000000005ED3000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/OG
                Source: zrvAIscZsc.exe, 00000001.00000003.229415378.0000000005ED3000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/UG
                Source: zrvAIscZsc.exe, 00000001.00000003.230412883.0000000005ED2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: zrvAIscZsc.exe, 00000001.00000003.226778337.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: zrvAIscZsc.exe, 00000001.00000003.226778337.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
                Source: zrvAIscZsc.exe, 00000001.00000003.226342121.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//b
                Source: zrvAIscZsc.exe, 00000001.00000003.226778337.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/6b
                Source: zrvAIscZsc.exe, 00000001.00000003.226778337.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/8
                Source: zrvAIscZsc.exe, 00000001.00000003.226778337.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/:cT
                Source: zrvAIscZsc.exe, 00000001.00000003.226778337.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Eb
                Source: zrvAIscZsc.exe, 00000001.00000003.226778337.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Lb
                Source: zrvAIscZsc.exe, 00000001.00000003.226778337.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
                Source: zrvAIscZsc.exe, 00000001.00000003.226778337.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0oZb7
                Source: zrvAIscZsc.exe, 00000001.00000003.226778337.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                Source: zrvAIscZsc.exe, 00000001.00000003.226778337.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp//b
                Source: zrvAIscZsc.exe, 00000001.00000003.226778337.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/=bX
                Source: zrvAIscZsc.exe, 00000001.00000003.226778337.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Sb
                Source: zrvAIscZsc.exe, 00000001.00000003.226778337.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/k
                Source: zrvAIscZsc.exe, 00000001.00000003.226778337.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/tend~b
                Source: zrvAIscZsc.exe, 00000001.00000003.230478680.0000000005ED6000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.pF
                Source: zrvAIscZsc.exe, 00000001.00000003.220601227.0000000005EC3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: zrvAIscZsc.exe, 00000001.00000003.220601227.0000000005EC3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com(
                Source: zrvAIscZsc.exe, 00000001.00000003.220601227.0000000005EC3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.come
                Source: zrvAIscZsc.exe, 00000001.00000003.220601227.0000000005EC3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comnoVq7
                Source: zrvAIscZsc.exe, 00000001.00000003.227015943.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                Source: zrvAIscZsc.exe, 00000001.00000003.227015943.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.comh
                Source: zrvAIscZsc.exe, 00000001.00000003.228680755.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                Source: zrvAIscZsc.exe, 0000000B.00000002.492576417.0000000006AD0000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                Source: zrvAIscZsc.exe, 0000000B.00000002.483340668.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                Source: zrvAIscZsc.exe, 0000000B.00000002.487381781.0000000002F71000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeCode function: 11_2_02DB46A011_2_02DB46A0
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeCode function: 11_2_02DB35C411_2_02DB35C4
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeCode function: 11_2_02DB836011_2_02DB8360
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeCode function: 11_2_02DB45B011_2_02DB45B0
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeCode function: 11_2_02DB539011_2_02DB5390
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeCode function: 11_2_02DBD30011_2_02DBD300
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\JxCmQoa.exe AE7399822AD5EF4D9BD2690DF74F6F1B472103380BE74FCA33611CE7265EBC01
                Source: zrvAIscZsc.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: JxCmQoa.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: zrvAIscZsc.exe, 00000001.00000000.217476941.0000000000BCA000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameLSATRANSLATEDNA.exe8 vs zrvAIscZsc.exe
                Source: zrvAIscZsc.exe, 0000000B.00000002.491415827.0000000005450000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs zrvAIscZsc.exe
                Source: zrvAIscZsc.exe, 0000000B.00000002.491809398.0000000006000000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs zrvAIscZsc.exe
                Source: zrvAIscZsc.exe, 0000000B.00000002.484225020.0000000000B8A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameLSATRANSLATEDNA.exe8 vs zrvAIscZsc.exe
                Source: zrvAIscZsc.exe, 0000000B.00000002.483340668.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamefJWEMUWjErGHLdFyKjvzsAc.exe4 vs zrvAIscZsc.exe
                Source: zrvAIscZsc.exeBinary or memory string: OriginalFilenameLSATRANSLATEDNA.exe8 vs zrvAIscZsc.exe
                Source: zrvAIscZsc.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                Source: zrvAIscZsc.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: JxCmQoa.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: zrvAIscZsc.exe, aXR39HWJ4x0q7MGLxy/O957nfmxJOySU8vkRf.csCryptographic APIs: 'CreateDecryptor'
                Source: JxCmQoa.exe.1.dr, aXR39HWJ4x0q7MGLxy/O957nfmxJOySU8vkRf.csCryptographic APIs: 'CreateDecryptor'
                Source: 1.0.zrvAIscZsc.exe.b00000.0.unpack, aXR39HWJ4x0q7MGLxy/O957nfmxJOySU8vkRf.csCryptographic APIs: 'CreateDecryptor'
                Source: 11.2.zrvAIscZsc.exe.ac0000.1.unpack, aXR39HWJ4x0q7MGLxy/O957nfmxJOySU8vkRf.csCryptographic APIs: 'CreateDecryptor'
                Source: 11.0.zrvAIscZsc.exe.ac0000.0.unpack, aXR39HWJ4x0q7MGLxy/O957nfmxJOySU8vkRf.csCryptographic APIs: 'CreateDecryptor'
                Source: zrvAIscZsc.exe, 00000001.00000003.226342121.0000000005EC5000.00000004.00000001.sdmpBinary or memory string: DYu Type Library is a Trademark of JIYUKOBO Ltd. registered in Japan.slnt
                Source: zrvAIscZsc.exe, 00000001.00000003.226778337.0000000005EC5000.00000004.00000001.sdmpBinary or memory string: YUKOBO Ltd. registered in Japan.slnt
                Source: classification engineClassification label: mal100.troj.evad.winEXE@6/4@0/0
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeFile created: C:\Users\user\AppData\Roaming\JxCmQoa.exeJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeMutant created: \Sessions\1\BaseNamedObjects\fKdScoFaGrq
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5680:120:WilError_01
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeFile created: C:\Users\user\AppData\Local\Temp\tmp3A6D.tmpJump to behavior
                Source: zrvAIscZsc.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: zrvAIscZsc.exeVirustotal: Detection: 27%
                Source: zrvAIscZsc.exeReversingLabs: Detection: 23%
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeFile read: C:\Users\user\Desktop\zrvAIscZsc.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\zrvAIscZsc.exe 'C:\Users\user\Desktop\zrvAIscZsc.exe'
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JxCmQoa' /XML 'C:\Users\user\AppData\Local\Temp\tmp3A6D.tmp'
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess created: C:\Users\user\Desktop\zrvAIscZsc.exe C:\Users\user\Desktop\zrvAIscZsc.exe
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JxCmQoa' /XML 'C:\Users\user\AppData\Local\Temp\tmp3A6D.tmp'Jump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess created: C:\Users\user\Desktop\zrvAIscZsc.exe C:\Users\user\Desktop\zrvAIscZsc.exeJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: zrvAIscZsc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: zrvAIscZsc.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: initial sampleStatic PE information: section name: .text entropy: 7.56992954159
                Source: initial sampleStatic PE information: section name: .text entropy: 7.56992954159
                Source: zrvAIscZsc.exe, TYrkToaGEMpjujrFga/prFipO63mgI0yvrVyq.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'T4ltQqiAVA', 'y5ALwKxnOC', 'SPFLlBsnwk', 'g2XLMABbM1', 'nscLOcnG4I', 'E7dLn5AIMl', 'Q5eLWq4DlT', 'YDGLJl8xAQ'
                Source: zrvAIscZsc.exe, SxfIUXVJdgBjNDLFNB/AM2hB8Lor7USiIUZxs.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'vYjtFVkHe8', 'hSbFCsIf9U', 'VBYFGHvDmK', 'H6tFAkBj2Z', 'd1kFDWfdZN', 'L3LFTMp8Vp', 'QvMFQUJcSm', 'Xg0FwSp5eu'
                Source: zrvAIscZsc.exe, Q7gT9wnkWoJQtDsXhx/z2cKe65WbGPGIjxmwr.csHigh entropy of concatenated method names: 'GeLovehHWr', 'Fknosk0xkT', 'UkPo0qs5Tx', 'gW5oEr6ndm', 'Fnco8evmdm', 'KcsofG2qCq', 'bNZormYp4J', 'JyIoi8qVIn', 'V46omQE60N', 'IRnoIISvIs'
                Source: zrvAIscZsc.exe, okG58OBUEjZS4DZJG8/c2esVpS6KesUCjCATw.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'bbJZhccJiR', 'WlYYiQ9SWm', 'N60YcfEWYd', 'g2XLMABbM1', 'nscLOcnG4I', 'E7dLn5AIMl', 'Q5eLWq4DlT', 'fbB55WM1tB'
                Source: zrvAIscZsc.exe, LNBaGnEQA3vyBDvVVi/em9cs2DYHr6JrqXilP.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'r1dZFhqXD1', 'YUHZLREAL5', 'HqoZ5K4kGc', 'TeeZY8InhQ', 'QrFZrlH2LO', 'g2XLMABbM1', 'nscLOcnG4I', 'E7dLn5AIMl'
                Source: zrvAIscZsc.exe, YIrq8QHhDSfadQYNKS/xKDYPZQDg30Ao09YpT.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'y7xNDvof1h', 'Q435Ja1njk', 'UkP5zqs5Tx', 'gW5Ybr6ndm', 'ET3Y4eM0Ov', 'FncYoevmdm', 'KcsYUG2qCq', 'JyIYt8qVIn'
                Source: zrvAIscZsc.exe, XcixWBkBVqsjcaY6KL/OFsmGHhgogBJuaQceU.csHigh entropy of concatenated method names: 'TBvUjS7lP8', 'Q4fUuNHHUD', 'KAFUylqVop', 'ChfU3RNQmq', 'xVFUPj7qNN', 'AGQUXMqKhN', 'jioUdE9HJL', 'J73URxXTnn', 'eJSUCUn5uo', 'd0UUGXJlsJ'
                Source: zrvAIscZsc.exe, Fa8VLXM23mORvR5dME/HCKUkDbh5y3OV2oc6A.csHigh entropy of concatenated method names: 'kfG46Gu61d', 'PTk4SqjEAg', 'fbB4eWM1tB', 'bqs422jkMh', 'HQR47fZ3vS', 'vXF494PUY4', 'kEZ4qjgk85', 'gvM41Y4HNO', 'GQJ4uSgJ1n', 'PjQ4K0TZCQ'
                Source: zrvAIscZsc.exe, bu1iYZjjaajwEIC7Iup/w9PdenjqgpAPWgp9wL5.csHigh entropy of concatenated method names: 'Dispose', 'QskaBtjAuY', 'AFqaPB2YbE', 'tVtaXuZSEy', 'get_Text', 'set_Text', '.ctor', 'OnPaint', 'rUR0VgYEXKD42V8HKGP', 'Fp8bSFYlanUNiKPqvWL'
                Source: zrvAIscZsc.exe, xn2PL6Ay0FbgjDCQUf/UyLOepCdZDDnGoRbQD.csHigh entropy of concatenated method names: '.ctor', 'opga4Q0sxF', 'BItaorKZTM', 'pLAaUnwosb', 'uAhatLyxpT', 'RARaNRD0l6', 'K9oaZAurMg', 'XCK7Hf3gDDwBligG6BE', 'QhJb123S9cGrcrHo9qN', 'Mv0W6M3PIhkEeZ5xXmb'
                Source: zrvAIscZsc.exe, aXR39HWJ4x0q7MGLxy/O957nfmxJOySU8vkRf.csHigh entropy of concatenated method names: 'wTZaS0nBvA', 'TCNa7mT90D', 'C7sa9Heyhs', '.ctor', '.ctor', 'HvMakdf0Mv', 'RUJaehb7wV', 'hdta2bsLZX', 'UyyahGtghd', 'V2TQuv3O2GTfCCOhUOo'
                Source: zrvAIscZsc.exe, IHXFP9YcujtIe1fkv0/kTeD6mxEv4W0qYVQoh.csHigh entropy of concatenated method names: 'Q6RUMV6LIj', 'Oc1UOxefwD', 'ornUWFtLC6', 'hytUx6xd1I', 'L4NUv9v5d9', 'WP5UsWAMyC', 'ACsUplcTLj', 'xbdU0uPUah', 'rHFUE0Twv4', 'pAnUVksqey'
                Source: zrvAIscZsc.exe, edM23O9tYBo3W9lyds/OgdU2MJmnLuJrUAowu.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'atTFyjqlwC', 'lriF3OBRwt', 'BreFBgaf10', 'KJ4FPKPpmT', 'zEfFXihnuJ', 'gcXFdvP77o', 'nAUFRaNNpm', 'JnrFHwJRTO'
                Source: zrvAIscZsc.exe, dFh6INFVpRyg1i1XS0/qAIrjXyqoofwXavk63.csHigh entropy of concatenated method names: '.ctor', 'RwOarlePvA', 'L1NamsEp4Q', 'tctaM9GGtw', 'bAXaOxs1nZ', 'D0FanqTD6a', 'TMXaWlJFKf', 'jgxaxDfADP', 'aqUagHR5bo', 'qa1avyK3VB'
                Source: zrvAIscZsc.exe, ngYh84jGCP5wkphDFk5/yEIfrdj7Dt1Iw9K447j.csHigh entropy of concatenated method names: '.ctor', 'q9OaGjku7c', 'TJ7aAv00Et', 'f0jaDqJSk2', 'qBHaTNRD8W', 'xkNaQK4wah', 'rNpaw40VDI', 'CLMal09RDm', 'VSDaJ3xt4v', 'nGdazASDKU'
                Source: JxCmQoa.exe.1.dr, TYrkToaGEMpjujrFga/prFipO63mgI0yvrVyq.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'T4ltQqiAVA', 'y5ALwKxnOC', 'SPFLlBsnwk', 'g2XLMABbM1', 'nscLOcnG4I', 'E7dLn5AIMl', 'Q5eLWq4DlT', 'YDGLJl8xAQ'
                Source: JxCmQoa.exe.1.dr, ngYh84jGCP5wkphDFk5/yEIfrdj7Dt1Iw9K447j.csHigh entropy of concatenated method names: '.ctor', 'q9OaGjku7c', 'TJ7aAv00Et', 'f0jaDqJSk2', 'qBHaTNRD8W', 'xkNaQK4wah', 'rNpaw40VDI', 'CLMal09RDm', 'VSDaJ3xt4v', 'nGdazASDKU'
                Source: JxCmQoa.exe.1.dr, SxfIUXVJdgBjNDLFNB/AM2hB8Lor7USiIUZxs.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'vYjtFVkHe8', 'hSbFCsIf9U', 'VBYFGHvDmK', 'H6tFAkBj2Z', 'd1kFDWfdZN', 'L3LFTMp8Vp', 'QvMFQUJcSm', 'Xg0FwSp5eu'
                Source: JxCmQoa.exe.1.dr, Q7gT9wnkWoJQtDsXhx/z2cKe65WbGPGIjxmwr.csHigh entropy of concatenated method names: 'GeLovehHWr', 'Fknosk0xkT', 'UkPo0qs5Tx', 'gW5oEr6ndm', 'Fnco8evmdm', 'KcsofG2qCq', 'bNZormYp4J', 'JyIoi8qVIn', 'V46omQE60N', 'IRnoIISvIs'
                Source: JxCmQoa.exe.1.dr, okG58OBUEjZS4DZJG8/c2esVpS6KesUCjCATw.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'bbJZhccJiR', 'WlYYiQ9SWm', 'N60YcfEWYd', 'g2XLMABbM1', 'nscLOcnG4I', 'E7dLn5AIMl', 'Q5eLWq4DlT', 'fbB55WM1tB'
                Source: JxCmQoa.exe.1.dr, LNBaGnEQA3vyBDvVVi/em9cs2DYHr6JrqXilP.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'r1dZFhqXD1', 'YUHZLREAL5', 'HqoZ5K4kGc', 'TeeZY8InhQ', 'QrFZrlH2LO', 'g2XLMABbM1', 'nscLOcnG4I', 'E7dLn5AIMl'
                Source: JxCmQoa.exe.1.dr, YIrq8QHhDSfadQYNKS/xKDYPZQDg30Ao09YpT.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'y7xNDvof1h', 'Q435Ja1njk', 'UkP5zqs5Tx', 'gW5Ybr6ndm', 'ET3Y4eM0Ov', 'FncYoevmdm', 'KcsYUG2qCq', 'JyIYt8qVIn'
                Source: JxCmQoa.exe.1.dr, IHXFP9YcujtIe1fkv0/kTeD6mxEv4W0qYVQoh.csHigh entropy of concatenated method names: 'Q6RUMV6LIj', 'Oc1UOxefwD', 'ornUWFtLC6', 'hytUx6xd1I', 'L4NUv9v5d9', 'WP5UsWAMyC', 'ACsUplcTLj', 'xbdU0uPUah', 'rHFUE0Twv4', 'pAnUVksqey'
                Source: JxCmQoa.exe.1.dr, XcixWBkBVqsjcaY6KL/OFsmGHhgogBJuaQceU.csHigh entropy of concatenated method names: 'TBvUjS7lP8', 'Q4fUuNHHUD', 'KAFUylqVop', 'ChfU3RNQmq', 'xVFUPj7qNN', 'AGQUXMqKhN', 'jioUdE9HJL', 'J73URxXTnn', 'eJSUCUn5uo', 'd0UUGXJlsJ'
                Source: JxCmQoa.exe.1.dr, aXR39HWJ4x0q7MGLxy/O957nfmxJOySU8vkRf.csHigh entropy of concatenated method names: 'wTZaS0nBvA', 'TCNa7mT90D', 'C7sa9Heyhs', '.ctor', '.ctor', 'HvMakdf0Mv', 'RUJaehb7wV', 'hdta2bsLZX', 'UyyahGtghd', 'V2TQuv3O2GTfCCOhUOo'
                Source: JxCmQoa.exe.1.dr, Fa8VLXM23mORvR5dME/HCKUkDbh5y3OV2oc6A.csHigh entropy of concatenated method names: 'kfG46Gu61d', 'PTk4SqjEAg', 'fbB4eWM1tB', 'bqs422jkMh', 'HQR47fZ3vS', 'vXF494PUY4', 'kEZ4qjgk85', 'gvM41Y4HNO', 'GQJ4uSgJ1n', 'PjQ4K0TZCQ'
                Source: JxCmQoa.exe.1.dr, edM23O9tYBo3W9lyds/OgdU2MJmnLuJrUAowu.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'atTFyjqlwC', 'lriF3OBRwt', 'BreFBgaf10', 'KJ4FPKPpmT', 'zEfFXihnuJ', 'gcXFdvP77o', 'nAUFRaNNpm', 'JnrFHwJRTO'
                Source: JxCmQoa.exe.1.dr, xn2PL6Ay0FbgjDCQUf/UyLOepCdZDDnGoRbQD.csHigh entropy of concatenated method names: '.ctor', 'opga4Q0sxF', 'BItaorKZTM', 'pLAaUnwosb', 'uAhatLyxpT', 'RARaNRD0l6', 'K9oaZAurMg', 'XCK7Hf3gDDwBligG6BE', 'QhJb123S9cGrcrHo9qN', 'Mv0W6M3PIhkEeZ5xXmb'
                Source: JxCmQoa.exe.1.dr, dFh6INFVpRyg1i1XS0/qAIrjXyqoofwXavk63.csHigh entropy of concatenated method names: '.ctor', 'RwOarlePvA', 'L1NamsEp4Q', 'tctaM9GGtw', 'bAXaOxs1nZ', 'D0FanqTD6a', 'TMXaWlJFKf', 'jgxaxDfADP', 'aqUagHR5bo', 'qa1avyK3VB'
                Source: JxCmQoa.exe.1.dr, bu1iYZjjaajwEIC7Iup/w9PdenjqgpAPWgp9wL5.csHigh entropy of concatenated method names: 'Dispose', 'QskaBtjAuY', 'AFqaPB2YbE', 'tVtaXuZSEy', 'get_Text', 'set_Text', '.ctor', 'OnPaint', 'rUR0VgYEXKD42V8HKGP', 'Fp8bSFYlanUNiKPqvWL'
                Source: 1.0.zrvAIscZsc.exe.b00000.0.unpack, TYrkToaGEMpjujrFga/prFipO63mgI0yvrVyq.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'T4ltQqiAVA', 'y5ALwKxnOC', 'SPFLlBsnwk', 'g2XLMABbM1', 'nscLOcnG4I', 'E7dLn5AIMl', 'Q5eLWq4DlT', 'YDGLJl8xAQ'
                Source: 1.0.zrvAIscZsc.exe.b00000.0.unpack, Q7gT9wnkWoJQtDsXhx/z2cKe65WbGPGIjxmwr.csHigh entropy of concatenated method names: 'GeLovehHWr', 'Fknosk0xkT', 'UkPo0qs5Tx', 'gW5oEr6ndm', 'Fnco8evmdm', 'KcsofG2qCq', 'bNZormYp4J', 'JyIoi8qVIn', 'V46omQE60N', 'IRnoIISvIs'
                Source: 1.0.zrvAIscZsc.exe.b00000.0.unpack, okG58OBUEjZS4DZJG8/c2esVpS6KesUCjCATw.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'bbJZhccJiR', 'WlYYiQ9SWm', 'N60YcfEWYd', 'g2XLMABbM1', 'nscLOcnG4I', 'E7dLn5AIMl', 'Q5eLWq4DlT', 'fbB55WM1tB'
                Source: 1.0.zrvAIscZsc.exe.b00000.0.unpack, LNBaGnEQA3vyBDvVVi/em9cs2DYHr6JrqXilP.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'r1dZFhqXD1', 'YUHZLREAL5', 'HqoZ5K4kGc', 'TeeZY8InhQ', 'QrFZrlH2LO', 'g2XLMABbM1', 'nscLOcnG4I', 'E7dLn5AIMl'
                Source: 1.0.zrvAIscZsc.exe.b00000.0.unpack, YIrq8QHhDSfadQYNKS/xKDYPZQDg30Ao09YpT.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'y7xNDvof1h', 'Q435Ja1njk', 'UkP5zqs5Tx', 'gW5Ybr6ndm', 'ET3Y4eM0Ov', 'FncYoevmdm', 'KcsYUG2qCq', 'JyIYt8qVIn'
                Source: 1.0.zrvAIscZsc.exe.b00000.0.unpack, Fa8VLXM23mORvR5dME/HCKUkDbh5y3OV2oc6A.csHigh entropy of concatenated method names: 'kfG46Gu61d', 'PTk4SqjEAg', 'fbB4eWM1tB', 'bqs422jkMh', 'HQR47fZ3vS', 'vXF494PUY4', 'kEZ4qjgk85', 'gvM41Y4HNO', 'GQJ4uSgJ1n', 'PjQ4K0TZCQ'
                Source: 1.0.zrvAIscZsc.exe.b00000.0.unpack, aXR39HWJ4x0q7MGLxy/O957nfmxJOySU8vkRf.csHigh entropy of concatenated method names: 'wTZaS0nBvA', 'TCNa7mT90D', 'C7sa9Heyhs', '.ctor', '.ctor', 'HvMakdf0Mv', 'RUJaehb7wV', 'hdta2bsLZX', 'UyyahGtghd', 'V2TQuv3O2GTfCCOhUOo'
                Source: 1.0.zrvAIscZsc.exe.b00000.0.unpack, XcixWBkBVqsjcaY6KL/OFsmGHhgogBJuaQceU.csHigh entropy of concatenated method names: 'TBvUjS7lP8', 'Q4fUuNHHUD', 'KAFUylqVop', 'ChfU3RNQmq', 'xVFUPj7qNN', 'AGQUXMqKhN', 'jioUdE9HJL', 'J73URxXTnn', 'eJSUCUn5uo', 'd0UUGXJlsJ'
                Source: 1.0.zrvAIscZsc.exe.b00000.0.unpack, IHXFP9YcujtIe1fkv0/kTeD6mxEv4W0qYVQoh.csHigh entropy of concatenated method names: 'Q6RUMV6LIj', 'Oc1UOxefwD', 'ornUWFtLC6', 'hytUx6xd1I', 'L4NUv9v5d9', 'WP5UsWAMyC', 'ACsUplcTLj', 'xbdU0uPUah', 'rHFUE0Twv4', 'pAnUVksqey'
                Source: 1.0.zrvAIscZsc.exe.b00000.0.unpack, bu1iYZjjaajwEIC7Iup/w9PdenjqgpAPWgp9wL5.csHigh entropy of concatenated method names: 'Dispose', 'QskaBtjAuY', 'AFqaPB2YbE', 'tVtaXuZSEy', 'get_Text', 'set_Text', '.ctor', 'OnPaint', 'rUR0VgYEXKD42V8HKGP', 'Fp8bSFYlanUNiKPqvWL'
                Source: 1.0.zrvAIscZsc.exe.b00000.0.unpack, edM23O9tYBo3W9lyds/OgdU2MJmnLuJrUAowu.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'atTFyjqlwC', 'lriF3OBRwt', 'BreFBgaf10', 'KJ4FPKPpmT', 'zEfFXihnuJ', 'gcXFdvP77o', 'nAUFRaNNpm', 'JnrFHwJRTO'
                Source: 1.0.zrvAIscZsc.exe.b00000.0.unpack, dFh6INFVpRyg1i1XS0/qAIrjXyqoofwXavk63.csHigh entropy of concatenated method names: '.ctor', 'RwOarlePvA', 'L1NamsEp4Q', 'tctaM9GGtw', 'bAXaOxs1nZ', 'D0FanqTD6a', 'TMXaWlJFKf', 'jgxaxDfADP', 'aqUagHR5bo', 'qa1avyK3VB'
                Source: 1.0.zrvAIscZsc.exe.b00000.0.unpack, ngYh84jGCP5wkphDFk5/yEIfrdj7Dt1Iw9K447j.csHigh entropy of concatenated method names: '.ctor', 'q9OaGjku7c', 'TJ7aAv00Et', 'f0jaDqJSk2', 'qBHaTNRD8W', 'xkNaQK4wah', 'rNpaw40VDI', 'CLMal09RDm', 'VSDaJ3xt4v', 'nGdazASDKU'
                Source: 1.0.zrvAIscZsc.exe.b00000.0.unpack, xn2PL6Ay0FbgjDCQUf/UyLOepCdZDDnGoRbQD.csHigh entropy of concatenated method names: '.ctor', 'opga4Q0sxF', 'BItaorKZTM', 'pLAaUnwosb', 'uAhatLyxpT', 'RARaNRD0l6', 'K9oaZAurMg', 'XCK7Hf3gDDwBligG6BE', 'QhJb123S9cGrcrHo9qN', 'Mv0W6M3PIhkEeZ5xXmb'
                Source: 1.0.zrvAIscZsc.exe.b00000.0.unpack, SxfIUXVJdgBjNDLFNB/AM2hB8Lor7USiIUZxs.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'vYjtFVkHe8', 'hSbFCsIf9U', 'VBYFGHvDmK', 'H6tFAkBj2Z', 'd1kFDWfdZN', 'L3LFTMp8Vp', 'QvMFQUJcSm', 'Xg0FwSp5eu'
                Source: 11.2.zrvAIscZsc.exe.ac0000.1.unpack, TYrkToaGEMpjujrFga/prFipO63mgI0yvrVyq.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'T4ltQqiAVA', 'y5ALwKxnOC', 'SPFLlBsnwk', 'g2XLMABbM1', 'nscLOcnG4I', 'E7dLn5AIMl', 'Q5eLWq4DlT', 'YDGLJl8xAQ'
                Source: 11.2.zrvAIscZsc.exe.ac0000.1.unpack, SxfIUXVJdgBjNDLFNB/AM2hB8Lor7USiIUZxs.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'vYjtFVkHe8', 'hSbFCsIf9U', 'VBYFGHvDmK', 'H6tFAkBj2Z', 'd1kFDWfdZN', 'L3LFTMp8Vp', 'QvMFQUJcSm', 'Xg0FwSp5eu'
                Source: 11.2.zrvAIscZsc.exe.ac0000.1.unpack, okG58OBUEjZS4DZJG8/c2esVpS6KesUCjCATw.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'bbJZhccJiR', 'WlYYiQ9SWm', 'N60YcfEWYd', 'g2XLMABbM1', 'nscLOcnG4I', 'E7dLn5AIMl', 'Q5eLWq4DlT', 'fbB55WM1tB'
                Source: 11.2.zrvAIscZsc.exe.ac0000.1.unpack, Q7gT9wnkWoJQtDsXhx/z2cKe65WbGPGIjxmwr.csHigh entropy of concatenated method names: 'GeLovehHWr', 'Fknosk0xkT', 'UkPo0qs5Tx', 'gW5oEr6ndm', 'Fnco8evmdm', 'KcsofG2qCq', 'bNZormYp4J', 'JyIoi8qVIn', 'V46omQE60N', 'IRnoIISvIs'
                Source: 11.2.zrvAIscZsc.exe.ac0000.1.unpack, LNBaGnEQA3vyBDvVVi/em9cs2DYHr6JrqXilP.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'r1dZFhqXD1', 'YUHZLREAL5', 'HqoZ5K4kGc', 'TeeZY8InhQ', 'QrFZrlH2LO', 'g2XLMABbM1', 'nscLOcnG4I', 'E7dLn5AIMl'
                Source: 11.2.zrvAIscZsc.exe.ac0000.1.unpack, YIrq8QHhDSfadQYNKS/xKDYPZQDg30Ao09YpT.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'y7xNDvof1h', 'Q435Ja1njk', 'UkP5zqs5Tx', 'gW5Ybr6ndm', 'ET3Y4eM0Ov', 'FncYoevmdm', 'KcsYUG2qCq', 'JyIYt8qVIn'
                Source: 11.2.zrvAIscZsc.exe.ac0000.1.unpack, XcixWBkBVqsjcaY6KL/OFsmGHhgogBJuaQceU.csHigh entropy of concatenated method names: 'TBvUjS7lP8', 'Q4fUuNHHUD', 'KAFUylqVop', 'ChfU3RNQmq', 'xVFUPj7qNN', 'AGQUXMqKhN', 'jioUdE9HJL', 'J73URxXTnn', 'eJSUCUn5uo', 'd0UUGXJlsJ'
                Source: 11.2.zrvAIscZsc.exe.ac0000.1.unpack, Fa8VLXM23mORvR5dME/HCKUkDbh5y3OV2oc6A.csHigh entropy of concatenated method names: 'kfG46Gu61d', 'PTk4SqjEAg', 'fbB4eWM1tB', 'bqs422jkMh', 'HQR47fZ3vS', 'vXF494PUY4', 'kEZ4qjgk85', 'gvM41Y4HNO', 'GQJ4uSgJ1n', 'PjQ4K0TZCQ'
                Source: 11.2.zrvAIscZsc.exe.ac0000.1.unpack, edM23O9tYBo3W9lyds/OgdU2MJmnLuJrUAowu.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'atTFyjqlwC', 'lriF3OBRwt', 'BreFBgaf10', 'KJ4FPKPpmT', 'zEfFXihnuJ', 'gcXFdvP77o', 'nAUFRaNNpm', 'JnrFHwJRTO'
                Source: 11.2.zrvAIscZsc.exe.ac0000.1.unpack, aXR39HWJ4x0q7MGLxy/O957nfmxJOySU8vkRf.csHigh entropy of concatenated method names: 'wTZaS0nBvA', 'TCNa7mT90D', 'C7sa9Heyhs', '.ctor', '.ctor', 'HvMakdf0Mv', 'RUJaehb7wV', 'hdta2bsLZX', 'UyyahGtghd', 'V2TQuv3O2GTfCCOhUOo'
                Source: 11.2.zrvAIscZsc.exe.ac0000.1.unpack, xn2PL6Ay0FbgjDCQUf/UyLOepCdZDDnGoRbQD.csHigh entropy of concatenated method names: '.ctor', 'opga4Q0sxF', 'BItaorKZTM', 'pLAaUnwosb', 'uAhatLyxpT', 'RARaNRD0l6', 'K9oaZAurMg', 'XCK7Hf3gDDwBligG6BE', 'QhJb123S9cGrcrHo9qN', 'Mv0W6M3PIhkEeZ5xXmb'
                Source: 11.2.zrvAIscZsc.exe.ac0000.1.unpack, IHXFP9YcujtIe1fkv0/kTeD6mxEv4W0qYVQoh.csHigh entropy of concatenated method names: 'Q6RUMV6LIj', 'Oc1UOxefwD', 'ornUWFtLC6', 'hytUx6xd1I', 'L4NUv9v5d9', 'WP5UsWAMyC', 'ACsUplcTLj', 'xbdU0uPUah', 'rHFUE0Twv4', 'pAnUVksqey'
                Source: 11.2.zrvAIscZsc.exe.ac0000.1.unpack, bu1iYZjjaajwEIC7Iup/w9PdenjqgpAPWgp9wL5.csHigh entropy of concatenated method names: 'Dispose', 'QskaBtjAuY', 'AFqaPB2YbE', 'tVtaXuZSEy', 'get_Text', 'set_Text', '.ctor', 'OnPaint', 'rUR0VgYEXKD42V8HKGP', 'Fp8bSFYlanUNiKPqvWL'
                Source: 11.2.zrvAIscZsc.exe.ac0000.1.unpack, dFh6INFVpRyg1i1XS0/qAIrjXyqoofwXavk63.csHigh entropy of concatenated method names: '.ctor', 'RwOarlePvA', 'L1NamsEp4Q', 'tctaM9GGtw', 'bAXaOxs1nZ', 'D0FanqTD6a', 'TMXaWlJFKf', 'jgxaxDfADP', 'aqUagHR5bo', 'qa1avyK3VB'
                Source: 11.2.zrvAIscZsc.exe.ac0000.1.unpack, ngYh84jGCP5wkphDFk5/yEIfrdj7Dt1Iw9K447j.csHigh entropy of concatenated method names: '.ctor', 'q9OaGjku7c', 'TJ7aAv00Et', 'f0jaDqJSk2', 'qBHaTNRD8W', 'xkNaQK4wah', 'rNpaw40VDI', 'CLMal09RDm', 'VSDaJ3xt4v', 'nGdazASDKU'
                Source: 11.0.zrvAIscZsc.exe.ac0000.0.unpack, TYrkToaGEMpjujrFga/prFipO63mgI0yvrVyq.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'T4ltQqiAVA', 'y5ALwKxnOC', 'SPFLlBsnwk', 'g2XLMABbM1', 'nscLOcnG4I', 'E7dLn5AIMl', 'Q5eLWq4DlT', 'YDGLJl8xAQ'
                Source: 11.0.zrvAIscZsc.exe.ac0000.0.unpack, SxfIUXVJdgBjNDLFNB/AM2hB8Lor7USiIUZxs.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'vYjtFVkHe8', 'hSbFCsIf9U', 'VBYFGHvDmK', 'H6tFAkBj2Z', 'd1kFDWfdZN', 'L3LFTMp8Vp', 'QvMFQUJcSm', 'Xg0FwSp5eu'
                Source: 11.0.zrvAIscZsc.exe.ac0000.0.unpack, Q7gT9wnkWoJQtDsXhx/z2cKe65WbGPGIjxmwr.csHigh entropy of concatenated method names: 'GeLovehHWr', 'Fknosk0xkT', 'UkPo0qs5Tx', 'gW5oEr6ndm', 'Fnco8evmdm', 'KcsofG2qCq', 'bNZormYp4J', 'JyIoi8qVIn', 'V46omQE60N', 'IRnoIISvIs'
                Source: 11.0.zrvAIscZsc.exe.ac0000.0.unpack, LNBaGnEQA3vyBDvVVi/em9cs2DYHr6JrqXilP.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'r1dZFhqXD1', 'YUHZLREAL5', 'HqoZ5K4kGc', 'TeeZY8InhQ', 'QrFZrlH2LO', 'g2XLMABbM1', 'nscLOcnG4I', 'E7dLn5AIMl'
                Source: 11.0.zrvAIscZsc.exe.ac0000.0.unpack, okG58OBUEjZS4DZJG8/c2esVpS6KesUCjCATw.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'bbJZhccJiR', 'WlYYiQ9SWm', 'N60YcfEWYd', 'g2XLMABbM1', 'nscLOcnG4I', 'E7dLn5AIMl', 'Q5eLWq4DlT', 'fbB55WM1tB'
                Source: 11.0.zrvAIscZsc.exe.ac0000.0.unpack, YIrq8QHhDSfadQYNKS/xKDYPZQDg30Ao09YpT.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'y7xNDvof1h', 'Q435Ja1njk', 'UkP5zqs5Tx', 'gW5Ybr6ndm', 'ET3Y4eM0Ov', 'FncYoevmdm', 'KcsYUG2qCq', 'JyIYt8qVIn'
                Source: 11.0.zrvAIscZsc.exe.ac0000.0.unpack, Fa8VLXM23mORvR5dME/HCKUkDbh5y3OV2oc6A.csHigh entropy of concatenated method names: 'kfG46Gu61d', 'PTk4SqjEAg', 'fbB4eWM1tB', 'bqs422jkMh', 'HQR47fZ3vS', 'vXF494PUY4', 'kEZ4qjgk85', 'gvM41Y4HNO', 'GQJ4uSgJ1n', 'PjQ4K0TZCQ'
                Source: 11.0.zrvAIscZsc.exe.ac0000.0.unpack, edM23O9tYBo3W9lyds/OgdU2MJmnLuJrUAowu.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'atTFyjqlwC', 'lriF3OBRwt', 'BreFBgaf10', 'KJ4FPKPpmT', 'zEfFXihnuJ', 'gcXFdvP77o', 'nAUFRaNNpm', 'JnrFHwJRTO'
                Source: 11.0.zrvAIscZsc.exe.ac0000.0.unpack, XcixWBkBVqsjcaY6KL/OFsmGHhgogBJuaQceU.csHigh entropy of concatenated method names: 'TBvUjS7lP8', 'Q4fUuNHHUD', 'KAFUylqVop', 'ChfU3RNQmq', 'xVFUPj7qNN', 'AGQUXMqKhN', 'jioUdE9HJL', 'J73URxXTnn', 'eJSUCUn5uo', 'd0UUGXJlsJ'
                Source: 11.0.zrvAIscZsc.exe.ac0000.0.unpack, aXR39HWJ4x0q7MGLxy/O957nfmxJOySU8vkRf.csHigh entropy of concatenated method names: 'wTZaS0nBvA', 'TCNa7mT90D', 'C7sa9Heyhs', '.ctor', '.ctor', 'HvMakdf0Mv', 'RUJaehb7wV', 'hdta2bsLZX', 'UyyahGtghd', 'V2TQuv3O2GTfCCOhUOo'
                Source: 11.0.zrvAIscZsc.exe.ac0000.0.unpack, xn2PL6Ay0FbgjDCQUf/UyLOepCdZDDnGoRbQD.csHigh entropy of concatenated method names: '.ctor', 'opga4Q0sxF', 'BItaorKZTM', 'pLAaUnwosb', 'uAhatLyxpT', 'RARaNRD0l6', 'K9oaZAurMg', 'XCK7Hf3gDDwBligG6BE', 'QhJb123S9cGrcrHo9qN', 'Mv0W6M3PIhkEeZ5xXmb'
                Source: 11.0.zrvAIscZsc.exe.ac0000.0.unpack, IHXFP9YcujtIe1fkv0/kTeD6mxEv4W0qYVQoh.csHigh entropy of concatenated method names: 'Q6RUMV6LIj', 'Oc1UOxefwD', 'ornUWFtLC6', 'hytUx6xd1I', 'L4NUv9v5d9', 'WP5UsWAMyC', 'ACsUplcTLj', 'xbdU0uPUah', 'rHFUE0Twv4', 'pAnUVksqey'
                Source: 11.0.zrvAIscZsc.exe.ac0000.0.unpack, dFh6INFVpRyg1i1XS0/qAIrjXyqoofwXavk63.csHigh entropy of concatenated method names: '.ctor', 'RwOarlePvA', 'L1NamsEp4Q', 'tctaM9GGtw', 'bAXaOxs1nZ', 'D0FanqTD6a', 'TMXaWlJFKf', 'jgxaxDfADP', 'aqUagHR5bo', 'qa1avyK3VB'
                Source: 11.0.zrvAIscZsc.exe.ac0000.0.unpack, ngYh84jGCP5wkphDFk5/yEIfrdj7Dt1Iw9K447j.csHigh entropy of concatenated method names: '.ctor', 'q9OaGjku7c', 'TJ7aAv00Et', 'f0jaDqJSk2', 'qBHaTNRD8W', 'xkNaQK4wah', 'rNpaw40VDI', 'CLMal09RDm', 'VSDaJ3xt4v', 'nGdazASDKU'
                Source: 11.0.zrvAIscZsc.exe.ac0000.0.unpack, bu1iYZjjaajwEIC7Iup/w9PdenjqgpAPWgp9wL5.csHigh entropy of concatenated method names: 'Dispose', 'QskaBtjAuY', 'AFqaPB2YbE', 'tVtaXuZSEy', 'get_Text', 'set_Text', '.ctor', 'OnPaint', 'rUR0VgYEXKD42V8HKGP', 'Fp8bSFYlanUNiKPqvWL'
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeFile created: C:\Users\user\AppData\Roaming\JxCmQoa.exeJump to dropped file

                Boot Survival:

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JxCmQoa' /XML 'C:\Users\user\AppData\Local\Temp\tmp3A6D.tmp'
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion:

                barindex
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeWindow / User API: threadDelayed 2106Jump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeWindow / User API: threadDelayed 7729Jump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exe TID: 4608Thread sleep time: -60764s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exe TID: 4608Thread sleep time: -40000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exe TID: 5032Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exe TID: 3412Thread sleep time: -15679732462653109s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exe TID: 5276Thread sleep count: 2106 > 30Jump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exe TID: 5276Thread sleep count: 7729 > 30Jump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeThread delayed: delay time: 60764Jump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeThread delayed: delay time: 40000Jump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: zrvAIscZsc.exe, 0000000B.00000002.491809398.0000000006000000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: zrvAIscZsc.exeBinary or memory string: DdUXhZQ[fUE6Ws]YTSk6WLInYD73f[o5QsEYYq{nV]8XY[8XVpEzfoQZd5M[]WMZ][<IgogJD}4pfy]3[3Y5]DL[]}Y4[3Y5]D75esU[\moJezE[TiU[]qET]m8Z\3QqeMU[]K<IgogJD|YJg4E[eyQ3[3Y5]DL6e3Q5\xDjfoUZd5<pfTU6\osp\SQ[]mopg|Y5XlY5Y843[wEjfoUZd5<pfTU6\osp\SQ[e|<pU843[wEjfoQ[YDL[]nopgyMKX3QZ
                Source: zrvAIscZsc.exe, 0000000B.00000002.491809398.0000000006000000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: zrvAIscZsc.exe, 0000000B.00000002.491809398.0000000006000000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: zrvAIscZsc.exe, 0000000B.00000002.492576417.0000000006AD0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^
                Source: zrvAIscZsc.exe, 0000000B.00000002.491809398.0000000006000000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion:

                barindex
                Injects a PE file into a foreign processesShow sources
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeMemory written: C:\Users\user\Desktop\zrvAIscZsc.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JxCmQoa' /XML 'C:\Users\user\AppData\Local\Temp\tmp3A6D.tmp'Jump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess created: C:\Users\user\Desktop\zrvAIscZsc.exe C:\Users\user\Desktop\zrvAIscZsc.exeJump to behavior
                Source: zrvAIscZsc.exe, 0000000B.00000002.486104908.0000000001830000.00000002.00000001.sdmpBinary or memory string: Program Manager
                Source: zrvAIscZsc.exe, 0000000B.00000002.486104908.0000000001830000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: zrvAIscZsc.exe, 0000000B.00000002.486104908.0000000001830000.00000002.00000001.sdmpBinary or memory string: Progman
                Source: zrvAIscZsc.exe, 0000000B.00000002.486104908.0000000001830000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Users\user\Desktop\zrvAIscZsc.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation