Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report zrvAIscZsc

Overview

General Information

Sample Name:zrvAIscZsc (renamed file extension from none to exe)
Analysis ID:452693
MD5:e85a0e1e81acbcea6a0e10eeedf32f6d
SHA1:3c613a4d232645cccbc7c1d8a3a8afb54cd2d56c
SHA256:ae7399822ad5ef4d9bd2690df74f6f1b472103380be74fca33611ce7265ebc01
Tags:32exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • zrvAIscZsc.exe (PID: 2528 cmdline: 'C:\Users\user\Desktop\zrvAIscZsc.exe' MD5: E85A0E1E81ACBCEA6A0E10EEEDF32F6D)
    • schtasks.exe (PID: 5368 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JxCmQoa' /XML 'C:\Users\user\AppData\Local\Temp\tmp3A6D.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • zrvAIscZsc.exe (PID: 5388 cmdline: C:\Users\user\Desktop\zrvAIscZsc.exe MD5: E85A0E1E81ACBCEA6A0E10EEEDF32F6D)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "max.mccanna@metaltek.me", "Password": "GODGRACE12345", "Host": "mail.privateemail.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.488036302.0000000003020000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000B.00000002.488036302.0000000003020000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      0000000B.00000002.487381781.0000000002F71000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000B.00000002.487381781.0000000002F71000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0000000B.00000002.483340668.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            11.2.zrvAIscZsc.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              11.2.zrvAIscZsc.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security

                Sigma Overview

                No Sigma rule has matched

                Jbx Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: 11.2.zrvAIscZsc.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "max.mccanna@metaltek.me", "Password": "GODGRACE12345", "Host": "mail.privateemail.com"}
                Multi AV Scanner detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\JxCmQoa.exeReversingLabs: Detection: 23%
                Multi AV Scanner detection for submitted fileShow sources
                Source: zrvAIscZsc.exeVirustotal: Detection: 27%Perma Link
                Source: zrvAIscZsc.exeReversingLabs: Detection: 23%
                Machine Learning detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\JxCmQoa.exeJoe Sandbox ML: detected
                Machine Learning detection for sampleShow sources
                Source: zrvAIscZsc.exeJoe Sandbox ML: detected
                Source: 11.2.zrvAIscZsc.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: zrvAIscZsc.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                Source: zrvAIscZsc.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: zrvAIscZsc.exe, 0000000B.00000002.487381781.0000000002F71000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: zrvAIscZsc.exe, 0000000B.00000002.488554736.0000000003077000.00000004.00000001.sdmpString found in binary or memory: http://79RmqEvtn7PDwz03.net
                Source: zrvAIscZsc.exe, 0000000B.00000002.487381781.0000000002F71000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                Source: zrvAIscZsc.exe, 0000000B.00000002.487381781.0000000002F71000.00000004.00000001.sdmpString found in binary or memory: http://IXudBJ.com
                Source: zrvAIscZsc.exeString found in binary or memory: http://api.twitter.com/1/direct_messages.xml?since_id=
                Source: zrvAIscZsc.exe, 0000000B.00000002.492622308.0000000006AEF000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                Source: zrvAIscZsc.exe, 0000000B.00000002.492666022.0000000006B1F000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                Source: zrvAIscZsc.exe, 0000000B.00000002.492576417.0000000006AD0000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                Source: zrvAIscZsc.exe, 0000000B.00000002.488773380.00000000030AC000.00000004.00000001.sdmpString found in binary or memory: http://mail.privateemail.com
                Source: zrvAIscZsc.exe, 0000000B.00000002.492622308.0000000006AEF000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: zrvAIscZsc.exe, 0000000B.00000002.492576417.0000000006AD0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                Source: zrvAIscZsc.exeString found in binary or memory: http://twitter.com/statuses/user_timeline.xml?screen_name=
                Source: zrvAIscZsc.exe, 00000001.00000003.227071655.0000000005F05000.00000004.00000001.sdmp, zrvAIscZsc.exe, 00000001.00000003.227015943.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                Source: zrvAIscZsc.exe, 00000001.00000003.228028659.0000000005EFE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.co
                Source: zrvAIscZsc.exe, 00000001.00000003.228993958.0000000005EC7000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: zrvAIscZsc.exe, 00000001.00000003.228680755.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com.TTF
                Source: zrvAIscZsc.exe, 00000001.00000003.228993958.0000000005EC7000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/Eb
                Source: zrvAIscZsc.exe, 00000001.00000003.227982397.0000000005EFE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                Source: zrvAIscZsc.exe, 00000001.00000003.228318411.0000000005ED9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: zrvAIscZsc.exe, 00000001.00000003.228993958.0000000005EC7000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalic
                Source: zrvAIscZsc.exe, 00000001.00000003.228993958.0000000005EC7000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comony
                Source: zrvAIscZsc.exe, 00000001.00000003.228680755.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comwbb
                Source: zrvAIscZsc.exe, 00000001.00000003.221002353.0000000005EDB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                Source: zrvAIscZsc.exe, 00000001.00000003.223507856.0000000005EC7000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.c0n
                Source: zrvAIscZsc.exe, 00000001.00000003.223702967.0000000005EC8000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: zrvAIscZsc.exe, 00000001.00000003.223702967.0000000005EC8000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn(j
                Source: zrvAIscZsc.exe, 00000001.00000003.223702967.0000000005EC8000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn.k
                Source: zrvAIscZsc.exe, 00000001.00000003.223702967.0000000005EC8000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                Source: zrvAIscZsc.exe, 00000001.00000003.223702967.0000000005EC8000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn:k
                Source: zrvAIscZsc.exe, 00000001.00000003.223316502.0000000005ECE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnt
                Source: zrvAIscZsc.exe, 00000001.00000003.229533656.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/=bX
                Source: zrvAIscZsc.exe, 00000001.00000003.229415378.0000000005ED3000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/OG
                Source: zrvAIscZsc.exe, 00000001.00000003.229415378.0000000005ED3000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/UG
                Source: zrvAIscZsc.exe, 00000001.00000003.230412883.0000000005ED2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: zrvAIscZsc.exe, 00000001.00000003.226778337.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: zrvAIscZsc.exe, 00000001.00000003.226778337.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
                Source: zrvAIscZsc.exe, 00000001.00000003.226342121.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//b
                Source: zrvAIscZsc.exe, 00000001.00000003.226778337.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/6b
                Source: zrvAIscZsc.exe, 00000001.00000003.226778337.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/8
                Source: zrvAIscZsc.exe, 00000001.00000003.226778337.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/:cT
                Source: zrvAIscZsc.exe, 00000001.00000003.226778337.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Eb
                Source: zrvAIscZsc.exe, 00000001.00000003.226778337.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Lb
                Source: zrvAIscZsc.exe, 00000001.00000003.226778337.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
                Source: zrvAIscZsc.exe, 00000001.00000003.226778337.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0oZb7
                Source: zrvAIscZsc.exe, 00000001.00000003.226778337.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                Source: zrvAIscZsc.exe, 00000001.00000003.226778337.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp//b
                Source: zrvAIscZsc.exe, 00000001.00000003.226778337.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/=bX
                Source: zrvAIscZsc.exe, 00000001.00000003.226778337.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Sb
                Source: zrvAIscZsc.exe, 00000001.00000003.226778337.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/k
                Source: zrvAIscZsc.exe, 00000001.00000003.226778337.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/tend~b
                Source: zrvAIscZsc.exe, 00000001.00000003.230478680.0000000005ED6000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.pF
                Source: zrvAIscZsc.exe, 00000001.00000003.220601227.0000000005EC3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: zrvAIscZsc.exe, 00000001.00000003.220601227.0000000005EC3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com(
                Source: zrvAIscZsc.exe, 00000001.00000003.220601227.0000000005EC3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.come
                Source: zrvAIscZsc.exe, 00000001.00000003.220601227.0000000005EC3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comnoVq7
                Source: zrvAIscZsc.exe, 00000001.00000003.227015943.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                Source: zrvAIscZsc.exe, 00000001.00000003.227015943.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.comh
                Source: zrvAIscZsc.exe, 00000001.00000003.228680755.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                Source: zrvAIscZsc.exe, 0000000B.00000002.492576417.0000000006AD0000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                Source: zrvAIscZsc.exe, 0000000B.00000002.483340668.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                Source: zrvAIscZsc.exe, 0000000B.00000002.487381781.0000000002F71000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeWindow created: window name: CLIPBRDWNDCLASS
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeCode function: 11_2_02DB46A0
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeCode function: 11_2_02DB35C4
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeCode function: 11_2_02DB8360
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeCode function: 11_2_02DB45B0
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeCode function: 11_2_02DB5390
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeCode function: 11_2_02DBD300
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\JxCmQoa.exe AE7399822AD5EF4D9BD2690DF74F6F1B472103380BE74FCA33611CE7265EBC01
                Source: zrvAIscZsc.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: JxCmQoa.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: zrvAIscZsc.exe, 00000001.00000000.217476941.0000000000BCA000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameLSATRANSLATEDNA.exe8 vs zrvAIscZsc.exe
                Source: zrvAIscZsc.exe, 0000000B.00000002.491415827.0000000005450000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs zrvAIscZsc.exe
                Source: zrvAIscZsc.exe, 0000000B.00000002.491809398.0000000006000000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs zrvAIscZsc.exe
                Source: zrvAIscZsc.exe, 0000000B.00000002.484225020.0000000000B8A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameLSATRANSLATEDNA.exe8 vs zrvAIscZsc.exe
                Source: zrvAIscZsc.exe, 0000000B.00000002.483340668.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamefJWEMUWjErGHLdFyKjvzsAc.exe4 vs zrvAIscZsc.exe
                Source: zrvAIscZsc.exeBinary or memory string: OriginalFilenameLSATRANSLATEDNA.exe8 vs zrvAIscZsc.exe
                Source: zrvAIscZsc.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                Source: zrvAIscZsc.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: JxCmQoa.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: zrvAIscZsc.exe, aXR39HWJ4x0q7MGLxy/O957nfmxJOySU8vkRf.csCryptographic APIs: 'CreateDecryptor'
                Source: JxCmQoa.exe.1.dr, aXR39HWJ4x0q7MGLxy/O957nfmxJOySU8vkRf.csCryptographic APIs: 'CreateDecryptor'
                Source: 1.0.zrvAIscZsc.exe.b00000.0.unpack, aXR39HWJ4x0q7MGLxy/O957nfmxJOySU8vkRf.csCryptographic APIs: 'CreateDecryptor'
                Source: 11.2.zrvAIscZsc.exe.ac0000.1.unpack, aXR39HWJ4x0q7MGLxy/O957nfmxJOySU8vkRf.csCryptographic APIs: 'CreateDecryptor'
                Source: 11.0.zrvAIscZsc.exe.ac0000.0.unpack, aXR39HWJ4x0q7MGLxy/O957nfmxJOySU8vkRf.csCryptographic APIs: 'CreateDecryptor'
                Source: zrvAIscZsc.exe, 00000001.00000003.226342121.0000000005EC5000.00000004.00000001.sdmpBinary or memory string: DYu Type Library is a Trademark of JIYUKOBO Ltd. registered in Japan.slnt
                Source: zrvAIscZsc.exe, 00000001.00000003.226778337.0000000005EC5000.00000004.00000001.sdmpBinary or memory string: YUKOBO Ltd. registered in Japan.slnt
                Source: classification engineClassification label: mal100.troj.evad.winEXE@6/4@0/0
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeFile created: C:\Users\user\AppData\Roaming\JxCmQoa.exeJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeMutant created: \Sessions\1\BaseNamedObjects\fKdScoFaGrq
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5680:120:WilError_01
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeFile created: C:\Users\user\AppData\Local\Temp\tmp3A6D.tmpJump to behavior
                Source: zrvAIscZsc.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: zrvAIscZsc.exeVirustotal: Detection: 27%
                Source: zrvAIscZsc.exeReversingLabs: Detection: 23%
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeFile read: C:\Users\user\Desktop\zrvAIscZsc.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\zrvAIscZsc.exe 'C:\Users\user\Desktop\zrvAIscZsc.exe'
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JxCmQoa' /XML 'C:\Users\user\AppData\Local\Temp\tmp3A6D.tmp'
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess created: C:\Users\user\Desktop\zrvAIscZsc.exe C:\Users\user\Desktop\zrvAIscZsc.exe
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JxCmQoa' /XML 'C:\Users\user\AppData\Local\Temp\tmp3A6D.tmp'
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess created: C:\Users\user\Desktop\zrvAIscZsc.exe C:\Users\user\Desktop\zrvAIscZsc.exe
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                Source: zrvAIscZsc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: zrvAIscZsc.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: initial sampleStatic PE information: section name: .text entropy: 7.56992954159
                Source: initial sampleStatic PE information: section name: .text entropy: 7.56992954159
                Source: zrvAIscZsc.exe, TYrkToaGEMpjujrFga/prFipO63mgI0yvrVyq.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'T4ltQqiAVA', 'y5ALwKxnOC', 'SPFLlBsnwk', 'g2XLMABbM1', 'nscLOcnG4I', 'E7dLn5AIMl', 'Q5eLWq4DlT', 'YDGLJl8xAQ'
                Source: zrvAIscZsc.exe, SxfIUXVJdgBjNDLFNB/AM2hB8Lor7USiIUZxs.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'vYjtFVkHe8', 'hSbFCsIf9U', 'VBYFGHvDmK', 'H6tFAkBj2Z', 'd1kFDWfdZN', 'L3LFTMp8Vp', 'QvMFQUJcSm', 'Xg0FwSp5eu'
                Source: zrvAIscZsc.exe, Q7gT9wnkWoJQtDsXhx/z2cKe65WbGPGIjxmwr.csHigh entropy of concatenated method names: 'GeLovehHWr', 'Fknosk0xkT', 'UkPo0qs5Tx', 'gW5oEr6ndm', 'Fnco8evmdm', 'KcsofG2qCq', 'bNZormYp4J', 'JyIoi8qVIn', 'V46omQE60N', 'IRnoIISvIs'
                Source: zrvAIscZsc.exe, okG58OBUEjZS4DZJG8/c2esVpS6KesUCjCATw.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'bbJZhccJiR', 'WlYYiQ9SWm', 'N60YcfEWYd', 'g2XLMABbM1', 'nscLOcnG4I', 'E7dLn5AIMl', 'Q5eLWq4DlT', 'fbB55WM1tB'
                Source: zrvAIscZsc.exe, LNBaGnEQA3vyBDvVVi/em9cs2DYHr6JrqXilP.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'r1dZFhqXD1', 'YUHZLREAL5', 'HqoZ5K4kGc', 'TeeZY8InhQ', 'QrFZrlH2LO', 'g2XLMABbM1', 'nscLOcnG4I', 'E7dLn5AIMl'
                Source: zrvAIscZsc.exe, YIrq8QHhDSfadQYNKS/xKDYPZQDg30Ao09YpT.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'y7xNDvof1h', 'Q435Ja1njk', 'UkP5zqs5Tx', 'gW5Ybr6ndm', 'ET3Y4eM0Ov', 'FncYoevmdm', 'KcsYUG2qCq', 'JyIYt8qVIn'
                Source: zrvAIscZsc.exe, XcixWBkBVqsjcaY6KL/OFsmGHhgogBJuaQceU.csHigh entropy of concatenated method names: 'TBvUjS7lP8', 'Q4fUuNHHUD', 'KAFUylqVop', 'ChfU3RNQmq', 'xVFUPj7qNN', 'AGQUXMqKhN', 'jioUdE9HJL', 'J73URxXTnn', 'eJSUCUn5uo', 'd0UUGXJlsJ'
                Source: zrvAIscZsc.exe, Fa8VLXM23mORvR5dME/HCKUkDbh5y3OV2oc6A.csHigh entropy of concatenated method names: 'kfG46Gu61d', 'PTk4SqjEAg', 'fbB4eWM1tB', 'bqs422jkMh', 'HQR47fZ3vS', 'vXF494PUY4', 'kEZ4qjgk85', 'gvM41Y4HNO', 'GQJ4uSgJ1n', 'PjQ4K0TZCQ'
                Source: zrvAIscZsc.exe, bu1iYZjjaajwEIC7Iup/w9PdenjqgpAPWgp9wL5.csHigh entropy of concatenated method names: 'Dispose', 'QskaBtjAuY', 'AFqaPB2YbE', 'tVtaXuZSEy', 'get_Text', 'set_Text', '.ctor', 'OnPaint', 'rUR0VgYEXKD42V8HKGP', 'Fp8bSFYlanUNiKPqvWL'
                Source: zrvAIscZsc.exe, xn2PL6Ay0FbgjDCQUf/UyLOepCdZDDnGoRbQD.csHigh entropy of concatenated method names: '.ctor', 'opga4Q0sxF', 'BItaorKZTM', 'pLAaUnwosb', 'uAhatLyxpT', 'RARaNRD0l6', 'K9oaZAurMg', 'XCK7Hf3gDDwBligG6BE', 'QhJb123S9cGrcrHo9qN', 'Mv0W6M3PIhkEeZ5xXmb'
                Source: zrvAIscZsc.exe, aXR39HWJ4x0q7MGLxy/O957nfmxJOySU8vkRf.csHigh entropy of concatenated method names: 'wTZaS0nBvA', 'TCNa7mT90D', 'C7sa9Heyhs', '.ctor', '.ctor', 'HvMakdf0Mv', 'RUJaehb7wV', 'hdta2bsLZX', 'UyyahGtghd', 'V2TQuv3O2GTfCCOhUOo'
                Source: zrvAIscZsc.exe, IHXFP9YcujtIe1fkv0/kTeD6mxEv4W0qYVQoh.csHigh entropy of concatenated method names: 'Q6RUMV6LIj', 'Oc1UOxefwD', 'ornUWFtLC6', 'hytUx6xd1I', 'L4NUv9v5d9', 'WP5UsWAMyC', 'ACsUplcTLj', 'xbdU0uPUah', 'rHFUE0Twv4', 'pAnUVksqey'
                Source: zrvAIscZsc.exe, edM23O9tYBo3W9lyds/OgdU2MJmnLuJrUAowu.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'atTFyjqlwC', 'lriF3OBRwt', 'BreFBgaf10', 'KJ4FPKPpmT', 'zEfFXihnuJ', 'gcXFdvP77o', 'nAUFRaNNpm', 'JnrFHwJRTO'
                Source: zrvAIscZsc.exe, dFh6INFVpRyg1i1XS0/qAIrjXyqoofwXavk63.csHigh entropy of concatenated method names: '.ctor', 'RwOarlePvA', 'L1NamsEp4Q', 'tctaM9GGtw', 'bAXaOxs1nZ', 'D0FanqTD6a', 'TMXaWlJFKf', 'jgxaxDfADP', 'aqUagHR5bo', 'qa1avyK3VB'
                Source: zrvAIscZsc.exe, ngYh84jGCP5wkphDFk5/yEIfrdj7Dt1Iw9K447j.csHigh entropy of concatenated method names: '.ctor', 'q9OaGjku7c', 'TJ7aAv00Et', 'f0jaDqJSk2', 'qBHaTNRD8W', 'xkNaQK4wah', 'rNpaw40VDI', 'CLMal09RDm', 'VSDaJ3xt4v', 'nGdazASDKU'
                Source: JxCmQoa.exe.1.dr, TYrkToaGEMpjujrFga/prFipO63mgI0yvrVyq.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'T4ltQqiAVA', 'y5ALwKxnOC', 'SPFLlBsnwk', 'g2XLMABbM1', 'nscLOcnG4I', 'E7dLn5AIMl', 'Q5eLWq4DlT', 'YDGLJl8xAQ'
                Source: JxCmQoa.exe.1.dr, ngYh84jGCP5wkphDFk5/yEIfrdj7Dt1Iw9K447j.csHigh entropy of concatenated method names: '.ctor', 'q9OaGjku7c', 'TJ7aAv00Et', 'f0jaDqJSk2', 'qBHaTNRD8W', 'xkNaQK4wah', 'rNpaw40VDI', 'CLMal09RDm', 'VSDaJ3xt4v', 'nGdazASDKU'
                Source: JxCmQoa.exe.1.dr, SxfIUXVJdgBjNDLFNB/AM2hB8Lor7USiIUZxs.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'vYjtFVkHe8', 'hSbFCsIf9U', 'VBYFGHvDmK', 'H6tFAkBj2Z', 'd1kFDWfdZN', 'L3LFTMp8Vp', 'QvMFQUJcSm', 'Xg0FwSp5eu'
                Source: JxCmQoa.exe.1.dr, Q7gT9wnkWoJQtDsXhx/z2cKe65WbGPGIjxmwr.csHigh entropy of concatenated method names: 'GeLovehHWr', 'Fknosk0xkT', 'UkPo0qs5Tx', 'gW5oEr6ndm', 'Fnco8evmdm', 'KcsofG2qCq', 'bNZormYp4J', 'JyIoi8qVIn', 'V46omQE60N', 'IRnoIISvIs'
                Source: JxCmQoa.exe.1.dr, okG58OBUEjZS4DZJG8/c2esVpS6KesUCjCATw.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'bbJZhccJiR', 'WlYYiQ9SWm', 'N60YcfEWYd', 'g2XLMABbM1', 'nscLOcnG4I', 'E7dLn5AIMl', 'Q5eLWq4DlT', 'fbB55WM1tB'
                Source: JxCmQoa.exe.1.dr, LNBaGnEQA3vyBDvVVi/em9cs2DYHr6JrqXilP.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'r1dZFhqXD1', 'YUHZLREAL5', 'HqoZ5K4kGc', 'TeeZY8InhQ', 'QrFZrlH2LO', 'g2XLMABbM1', 'nscLOcnG4I', 'E7dLn5AIMl'
                Source: JxCmQoa.exe.1.dr, YIrq8QHhDSfadQYNKS/xKDYPZQDg30Ao09YpT.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'y7xNDvof1h', 'Q435Ja1njk', 'UkP5zqs5Tx', 'gW5Ybr6ndm', 'ET3Y4eM0Ov', 'FncYoevmdm', 'KcsYUG2qCq', 'JyIYt8qVIn'
                Source: JxCmQoa.exe.1.dr, IHXFP9YcujtIe1fkv0/kTeD6mxEv4W0qYVQoh.csHigh entropy of concatenated method names: 'Q6RUMV6LIj', 'Oc1UOxefwD', 'ornUWFtLC6', 'hytUx6xd1I', 'L4NUv9v5d9', 'WP5UsWAMyC', 'ACsUplcTLj', 'xbdU0uPUah', 'rHFUE0Twv4', 'pAnUVksqey'
                Source: JxCmQoa.exe.1.dr, XcixWBkBVqsjcaY6KL/OFsmGHhgogBJuaQceU.csHigh entropy of concatenated method names: 'TBvUjS7lP8', 'Q4fUuNHHUD', 'KAFUylqVop', 'ChfU3RNQmq', 'xVFUPj7qNN', 'AGQUXMqKhN', 'jioUdE9HJL', 'J73URxXTnn', 'eJSUCUn5uo', 'd0UUGXJlsJ'
                Source: JxCmQoa.exe.1.dr, aXR39HWJ4x0q7MGLxy/O957nfmxJOySU8vkRf.csHigh entropy of concatenated method names: 'wTZaS0nBvA', 'TCNa7mT90D', 'C7sa9Heyhs', '.ctor', '.ctor', 'HvMakdf0Mv', 'RUJaehb7wV', 'hdta2bsLZX', 'UyyahGtghd', 'V2TQuv3O2GTfCCOhUOo'
                Source: JxCmQoa.exe.1.dr, Fa8VLXM23mORvR5dME/HCKUkDbh5y3OV2oc6A.csHigh entropy of concatenated method names: 'kfG46Gu61d', 'PTk4SqjEAg', 'fbB4eWM1tB', 'bqs422jkMh', 'HQR47fZ3vS', 'vXF494PUY4', 'kEZ4qjgk85', 'gvM41Y4HNO', 'GQJ4uSgJ1n', 'PjQ4K0TZCQ'
                Source: JxCmQoa.exe.1.dr, edM23O9tYBo3W9lyds/OgdU2MJmnLuJrUAowu.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'atTFyjqlwC', 'lriF3OBRwt', 'BreFBgaf10', 'KJ4FPKPpmT', 'zEfFXihnuJ', 'gcXFdvP77o', 'nAUFRaNNpm', 'JnrFHwJRTO'
                Source: JxCmQoa.exe.1.dr, xn2PL6Ay0FbgjDCQUf/UyLOepCdZDDnGoRbQD.csHigh entropy of concatenated method names: '.ctor', 'opga4Q0sxF', 'BItaorKZTM', 'pLAaUnwosb', 'uAhatLyxpT', 'RARaNRD0l6', 'K9oaZAurMg', 'XCK7Hf3gDDwBligG6BE', 'QhJb123S9cGrcrHo9qN', 'Mv0W6M3PIhkEeZ5xXmb'
                Source: JxCmQoa.exe.1.dr, dFh6INFVpRyg1i1XS0/qAIrjXyqoofwXavk63.csHigh entropy of concatenated method names: '.ctor', 'RwOarlePvA', 'L1NamsEp4Q', 'tctaM9GGtw', 'bAXaOxs1nZ', 'D0FanqTD6a', 'TMXaWlJFKf', 'jgxaxDfADP', 'aqUagHR5bo', 'qa1avyK3VB'
                Source: JxCmQoa.exe.1.dr, bu1iYZjjaajwEIC7Iup/w9PdenjqgpAPWgp9wL5.csHigh entropy of concatenated method names: 'Dispose', 'QskaBtjAuY', 'AFqaPB2YbE', 'tVtaXuZSEy', 'get_Text', 'set_Text', '.ctor', 'OnPaint', 'rUR0VgYEXKD42V8HKGP', 'Fp8bSFYlanUNiKPqvWL'
                Source: 1.0.zrvAIscZsc.exe.b00000.0.unpack, TYrkToaGEMpjujrFga/prFipO63mgI0yvrVyq.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'T4ltQqiAVA', 'y5ALwKxnOC', 'SPFLlBsnwk', 'g2XLMABbM1', 'nscLOcnG4I', 'E7dLn5AIMl', 'Q5eLWq4DlT', 'YDGLJl8xAQ'
                Source: 1.0.zrvAIscZsc.exe.b00000.0.unpack, Q7gT9wnkWoJQtDsXhx/z2cKe65WbGPGIjxmwr.csHigh entropy of concatenated method names: 'GeLovehHWr', 'Fknosk0xkT', 'UkPo0qs5Tx', 'gW5oEr6ndm', 'Fnco8evmdm', 'KcsofG2qCq', 'bNZormYp4J', 'JyIoi8qVIn', 'V46omQE60N', 'IRnoIISvIs'
                Source: 1.0.zrvAIscZsc.exe.b00000.0.unpack, okG58OBUEjZS4DZJG8/c2esVpS6KesUCjCATw.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'bbJZhccJiR', 'WlYYiQ9SWm', 'N60YcfEWYd', 'g2XLMABbM1', 'nscLOcnG4I', 'E7dLn5AIMl', 'Q5eLWq4DlT', 'fbB55WM1tB'
                Source: 1.0.zrvAIscZsc.exe.b00000.0.unpack, LNBaGnEQA3vyBDvVVi/em9cs2DYHr6JrqXilP.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'r1dZFhqXD1', 'YUHZLREAL5', 'HqoZ5K4kGc', 'TeeZY8InhQ', 'QrFZrlH2LO', 'g2XLMABbM1', 'nscLOcnG4I', 'E7dLn5AIMl'
                Source: 1.0.zrvAIscZsc.exe.b00000.0.unpack, YIrq8QHhDSfadQYNKS/xKDYPZQDg30Ao09YpT.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'y7xNDvof1h', 'Q435Ja1njk', 'UkP5zqs5Tx', 'gW5Ybr6ndm', 'ET3Y4eM0Ov', 'FncYoevmdm', 'KcsYUG2qCq', 'JyIYt8qVIn'
                Source: 1.0.zrvAIscZsc.exe.b00000.0.unpack, Fa8VLXM23mORvR5dME/HCKUkDbh5y3OV2oc6A.csHigh entropy of concatenated method names: 'kfG46Gu61d', 'PTk4SqjEAg', 'fbB4eWM1tB', 'bqs422jkMh', 'HQR47fZ3vS', 'vXF494PUY4', 'kEZ4qjgk85', 'gvM41Y4HNO', 'GQJ4uSgJ1n', 'PjQ4K0TZCQ'
                Source: 1.0.zrvAIscZsc.exe.b00000.0.unpack, aXR39HWJ4x0q7MGLxy/O957nfmxJOySU8vkRf.csHigh entropy of concatenated method names: 'wTZaS0nBvA', 'TCNa7mT90D', 'C7sa9Heyhs', '.ctor', '.ctor', 'HvMakdf0Mv', 'RUJaehb7wV', 'hdta2bsLZX', 'UyyahGtghd', 'V2TQuv3O2GTfCCOhUOo'
                Source: 1.0.zrvAIscZsc.exe.b00000.0.unpack, XcixWBkBVqsjcaY6KL/OFsmGHhgogBJuaQceU.csHigh entropy of concatenated method names: 'TBvUjS7lP8', 'Q4fUuNHHUD', 'KAFUylqVop', 'ChfU3RNQmq', 'xVFUPj7qNN', 'AGQUXMqKhN', 'jioUdE9HJL', 'J73URxXTnn', 'eJSUCUn5uo', 'd0UUGXJlsJ'
                Source: 1.0.zrvAIscZsc.exe.b00000.0.unpack, IHXFP9YcujtIe1fkv0/kTeD6mxEv4W0qYVQoh.csHigh entropy of concatenated method names: 'Q6RUMV6LIj', 'Oc1UOxefwD', 'ornUWFtLC6', 'hytUx6xd1I', 'L4NUv9v5d9', 'WP5UsWAMyC', 'ACsUplcTLj', 'xbdU0uPUah', 'rHFUE0Twv4', 'pAnUVksqey'
                Source: 1.0.zrvAIscZsc.exe.b00000.0.unpack, bu1iYZjjaajwEIC7Iup/w9PdenjqgpAPWgp9wL5.csHigh entropy of concatenated method names: 'Dispose', 'QskaBtjAuY', 'AFqaPB2YbE', 'tVtaXuZSEy', 'get_Text', 'set_Text', '.ctor', 'OnPaint', 'rUR0VgYEXKD42V8HKGP', 'Fp8bSFYlanUNiKPqvWL'
                Source: 1.0.zrvAIscZsc.exe.b00000.0.unpack, edM23O9tYBo3W9lyds/OgdU2MJmnLuJrUAowu.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'atTFyjqlwC', 'lriF3OBRwt', 'BreFBgaf10', 'KJ4FPKPpmT', 'zEfFXihnuJ', 'gcXFdvP77o', 'nAUFRaNNpm', 'JnrFHwJRTO'
                Source: 1.0.zrvAIscZsc.exe.b00000.0.unpack, dFh6INFVpRyg1i1XS0/qAIrjXyqoofwXavk63.csHigh entropy of concatenated method names: '.ctor', 'RwOarlePvA', 'L1NamsEp4Q', 'tctaM9GGtw', 'bAXaOxs1nZ', 'D0FanqTD6a', 'TMXaWlJFKf', 'jgxaxDfADP', 'aqUagHR5bo', 'qa1avyK3VB'
                Source: 1.0.zrvAIscZsc.exe.b00000.0.unpack, ngYh84jGCP5wkphDFk5/yEIfrdj7Dt1Iw9K447j.csHigh entropy of concatenated method names: '.ctor', 'q9OaGjku7c', 'TJ7aAv00Et', 'f0jaDqJSk2', 'qBHaTNRD8W', 'xkNaQK4wah', 'rNpaw40VDI', 'CLMal09RDm', 'VSDaJ3xt4v', 'nGdazASDKU'
                Source: 1.0.zrvAIscZsc.exe.b00000.0.unpack, xn2PL6Ay0FbgjDCQUf/UyLOepCdZDDnGoRbQD.csHigh entropy of concatenated method names: '.ctor', 'opga4Q0sxF', 'BItaorKZTM', 'pLAaUnwosb', 'uAhatLyxpT', 'RARaNRD0l6', 'K9oaZAurMg', 'XCK7Hf3gDDwBligG6BE', 'QhJb123S9cGrcrHo9qN', 'Mv0W6M3PIhkEeZ5xXmb'
                Source: 1.0.zrvAIscZsc.exe.b00000.0.unpack, SxfIUXVJdgBjNDLFNB/AM2hB8Lor7USiIUZxs.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'vYjtFVkHe8', 'hSbFCsIf9U', 'VBYFGHvDmK', 'H6tFAkBj2Z', 'd1kFDWfdZN', 'L3LFTMp8Vp', 'QvMFQUJcSm', 'Xg0FwSp5eu'
                Source: 11.2.zrvAIscZsc.exe.ac0000.1.unpack, TYrkToaGEMpjujrFga/prFipO63mgI0yvrVyq.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'T4ltQqiAVA', 'y5ALwKxnOC', 'SPFLlBsnwk', 'g2XLMABbM1', 'nscLOcnG4I', 'E7dLn5AIMl', 'Q5eLWq4DlT', 'YDGLJl8xAQ'
                Source: 11.2.zrvAIscZsc.exe.ac0000.1.unpack, SxfIUXVJdgBjNDLFNB/AM2hB8Lor7USiIUZxs.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'vYjtFVkHe8', 'hSbFCsIf9U', 'VBYFGHvDmK', 'H6tFAkBj2Z', 'd1kFDWfdZN', 'L3LFTMp8Vp', 'QvMFQUJcSm', 'Xg0FwSp5eu'
                Source: 11.2.zrvAIscZsc.exe.ac0000.1.unpack, okG58OBUEjZS4DZJG8/c2esVpS6KesUCjCATw.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'bbJZhccJiR', 'WlYYiQ9SWm', 'N60YcfEWYd', 'g2XLMABbM1', 'nscLOcnG4I', 'E7dLn5AIMl', 'Q5eLWq4DlT', 'fbB55WM1tB'
                Source: 11.2.zrvAIscZsc.exe.ac0000.1.unpack, Q7gT9wnkWoJQtDsXhx/z2cKe65WbGPGIjxmwr.csHigh entropy of concatenated method names: 'GeLovehHWr', 'Fknosk0xkT', 'UkPo0qs5Tx', 'gW5oEr6ndm', 'Fnco8evmdm', 'KcsofG2qCq', 'bNZormYp4J', 'JyIoi8qVIn', 'V46omQE60N', 'IRnoIISvIs'
                Source: 11.2.zrvAIscZsc.exe.ac0000.1.unpack, LNBaGnEQA3vyBDvVVi/em9cs2DYHr6JrqXilP.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'r1dZFhqXD1', 'YUHZLREAL5', 'HqoZ5K4kGc', 'TeeZY8InhQ', 'QrFZrlH2LO', 'g2XLMABbM1', 'nscLOcnG4I', 'E7dLn5AIMl'
                Source: 11.2.zrvAIscZsc.exe.ac0000.1.unpack, YIrq8QHhDSfadQYNKS/xKDYPZQDg30Ao09YpT.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'y7xNDvof1h', 'Q435Ja1njk', 'UkP5zqs5Tx', 'gW5Ybr6ndm', 'ET3Y4eM0Ov', 'FncYoevmdm', 'KcsYUG2qCq', 'JyIYt8qVIn'
                Source: 11.2.zrvAIscZsc.exe.ac0000.1.unpack, XcixWBkBVqsjcaY6KL/OFsmGHhgogBJuaQceU.csHigh entropy of concatenated method names: 'TBvUjS7lP8', 'Q4fUuNHHUD', 'KAFUylqVop', 'ChfU3RNQmq', 'xVFUPj7qNN', 'AGQUXMqKhN', 'jioUdE9HJL', 'J73URxXTnn', 'eJSUCUn5uo', 'd0UUGXJlsJ'
                Source: 11.2.zrvAIscZsc.exe.ac0000.1.unpack, Fa8VLXM23mORvR5dME/HCKUkDbh5y3OV2oc6A.csHigh entropy of concatenated method names: 'kfG46Gu61d', 'PTk4SqjEAg', 'fbB4eWM1tB', 'bqs422jkMh', 'HQR47fZ3vS', 'vXF494PUY4', 'kEZ4qjgk85', 'gvM41Y4HNO', 'GQJ4uSgJ1n', 'PjQ4K0TZCQ'
                Source: 11.2.zrvAIscZsc.exe.ac0000.1.unpack, edM23O9tYBo3W9lyds/OgdU2MJmnLuJrUAowu.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'atTFyjqlwC', 'lriF3OBRwt', 'BreFBgaf10', 'KJ4FPKPpmT', 'zEfFXihnuJ', 'gcXFdvP77o', 'nAUFRaNNpm', 'JnrFHwJRTO'
                Source: 11.2.zrvAIscZsc.exe.ac0000.1.unpack, aXR39HWJ4x0q7MGLxy/O957nfmxJOySU8vkRf.csHigh entropy of concatenated method names: 'wTZaS0nBvA', 'TCNa7mT90D', 'C7sa9Heyhs', '.ctor', '.ctor', 'HvMakdf0Mv', 'RUJaehb7wV', 'hdta2bsLZX', 'UyyahGtghd', 'V2TQuv3O2GTfCCOhUOo'
                Source: 11.2.zrvAIscZsc.exe.ac0000.1.unpack, xn2PL6Ay0FbgjDCQUf/UyLOepCdZDDnGoRbQD.csHigh entropy of concatenated method names: '.ctor', 'opga4Q0sxF', 'BItaorKZTM', 'pLAaUnwosb', 'uAhatLyxpT', 'RARaNRD0l6', 'K9oaZAurMg', 'XCK7Hf3gDDwBligG6BE', 'QhJb123S9cGrcrHo9qN', 'Mv0W6M3PIhkEeZ5xXmb'
                Source: 11.2.zrvAIscZsc.exe.ac0000.1.unpack, IHXFP9YcujtIe1fkv0/kTeD6mxEv4W0qYVQoh.csHigh entropy of concatenated method names: 'Q6RUMV6LIj', 'Oc1UOxefwD', 'ornUWFtLC6', 'hytUx6xd1I', 'L4NUv9v5d9', 'WP5UsWAMyC', 'ACsUplcTLj', 'xbdU0uPUah', 'rHFUE0Twv4', 'pAnUVksqey'
                Source: 11.2.zrvAIscZsc.exe.ac0000.1.unpack, bu1iYZjjaajwEIC7Iup/w9PdenjqgpAPWgp9wL5.csHigh entropy of concatenated method names: 'Dispose', 'QskaBtjAuY', 'AFqaPB2YbE', 'tVtaXuZSEy', 'get_Text', 'set_Text', '.ctor', 'OnPaint', 'rUR0VgYEXKD42V8HKGP', 'Fp8bSFYlanUNiKPqvWL'
                Source: 11.2.zrvAIscZsc.exe.ac0000.1.unpack, dFh6INFVpRyg1i1XS0/qAIrjXyqoofwXavk63.csHigh entropy of concatenated method names: '.ctor', 'RwOarlePvA', 'L1NamsEp4Q', 'tctaM9GGtw', 'bAXaOxs1nZ', 'D0FanqTD6a', 'TMXaWlJFKf', 'jgxaxDfADP', 'aqUagHR5bo', 'qa1avyK3VB'
                Source: 11.2.zrvAIscZsc.exe.ac0000.1.unpack, ngYh84jGCP5wkphDFk5/yEIfrdj7Dt1Iw9K447j.csHigh entropy of concatenated method names: '.ctor', 'q9OaGjku7c', 'TJ7aAv00Et', 'f0jaDqJSk2', 'qBHaTNRD8W', 'xkNaQK4wah', 'rNpaw40VDI', 'CLMal09RDm', 'VSDaJ3xt4v', 'nGdazASDKU'
                Source: 11.0.zrvAIscZsc.exe.ac0000.0.unpack, TYrkToaGEMpjujrFga/prFipO63mgI0yvrVyq.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'T4ltQqiAVA', 'y5ALwKxnOC', 'SPFLlBsnwk', 'g2XLMABbM1', 'nscLOcnG4I', 'E7dLn5AIMl', 'Q5eLWq4DlT', 'YDGLJl8xAQ'
                Source: 11.0.zrvAIscZsc.exe.ac0000.0.unpack, SxfIUXVJdgBjNDLFNB/AM2hB8Lor7USiIUZxs.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'vYjtFVkHe8', 'hSbFCsIf9U', 'VBYFGHvDmK', 'H6tFAkBj2Z', 'd1kFDWfdZN', 'L3LFTMp8Vp', 'QvMFQUJcSm', 'Xg0FwSp5eu'
                Source: 11.0.zrvAIscZsc.exe.ac0000.0.unpack, Q7gT9wnkWoJQtDsXhx/z2cKe65WbGPGIjxmwr.csHigh entropy of concatenated method names: 'GeLovehHWr', 'Fknosk0xkT', 'UkPo0qs5Tx', 'gW5oEr6ndm', 'Fnco8evmdm', 'KcsofG2qCq', 'bNZormYp4J', 'JyIoi8qVIn', 'V46omQE60N', 'IRnoIISvIs'
                Source: 11.0.zrvAIscZsc.exe.ac0000.0.unpack, LNBaGnEQA3vyBDvVVi/em9cs2DYHr6JrqXilP.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'r1dZFhqXD1', 'YUHZLREAL5', 'HqoZ5K4kGc', 'TeeZY8InhQ', 'QrFZrlH2LO', 'g2XLMABbM1', 'nscLOcnG4I', 'E7dLn5AIMl'
                Source: 11.0.zrvAIscZsc.exe.ac0000.0.unpack, okG58OBUEjZS4DZJG8/c2esVpS6KesUCjCATw.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'bbJZhccJiR', 'WlYYiQ9SWm', 'N60YcfEWYd', 'g2XLMABbM1', 'nscLOcnG4I', 'E7dLn5AIMl', 'Q5eLWq4DlT', 'fbB55WM1tB'
                Source: 11.0.zrvAIscZsc.exe.ac0000.0.unpack, YIrq8QHhDSfadQYNKS/xKDYPZQDg30Ao09YpT.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'y7xNDvof1h', 'Q435Ja1njk', 'UkP5zqs5Tx', 'gW5Ybr6ndm', 'ET3Y4eM0Ov', 'FncYoevmdm', 'KcsYUG2qCq', 'JyIYt8qVIn'
                Source: 11.0.zrvAIscZsc.exe.ac0000.0.unpack, Fa8VLXM23mORvR5dME/HCKUkDbh5y3OV2oc6A.csHigh entropy of concatenated method names: 'kfG46Gu61d', 'PTk4SqjEAg', 'fbB4eWM1tB', 'bqs422jkMh', 'HQR47fZ3vS', 'vXF494PUY4', 'kEZ4qjgk85', 'gvM41Y4HNO', 'GQJ4uSgJ1n', 'PjQ4K0TZCQ'
                Source: 11.0.zrvAIscZsc.exe.ac0000.0.unpack, edM23O9tYBo3W9lyds/OgdU2MJmnLuJrUAowu.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'atTFyjqlwC', 'lriF3OBRwt', 'BreFBgaf10', 'KJ4FPKPpmT', 'zEfFXihnuJ', 'gcXFdvP77o', 'nAUFRaNNpm', 'JnrFHwJRTO'
                Source: 11.0.zrvAIscZsc.exe.ac0000.0.unpack, XcixWBkBVqsjcaY6KL/OFsmGHhgogBJuaQceU.csHigh entropy of concatenated method names: 'TBvUjS7lP8', 'Q4fUuNHHUD', 'KAFUylqVop', 'ChfU3RNQmq', 'xVFUPj7qNN', 'AGQUXMqKhN', 'jioUdE9HJL', 'J73URxXTnn', 'eJSUCUn5uo', 'd0UUGXJlsJ'
                Source: 11.0.zrvAIscZsc.exe.ac0000.0.unpack, aXR39HWJ4x0q7MGLxy/O957nfmxJOySU8vkRf.csHigh entropy of concatenated method names: 'wTZaS0nBvA', 'TCNa7mT90D', 'C7sa9Heyhs', '.ctor', '.ctor', 'HvMakdf0Mv', 'RUJaehb7wV', 'hdta2bsLZX', 'UyyahGtghd', 'V2TQuv3O2GTfCCOhUOo'
                Source: 11.0.zrvAIscZsc.exe.ac0000.0.unpack, xn2PL6Ay0FbgjDCQUf/UyLOepCdZDDnGoRbQD.csHigh entropy of concatenated method names: '.ctor', 'opga4Q0sxF', 'BItaorKZTM', 'pLAaUnwosb', 'uAhatLyxpT', 'RARaNRD0l6', 'K9oaZAurMg', 'XCK7Hf3gDDwBligG6BE', 'QhJb123S9cGrcrHo9qN', 'Mv0W6M3PIhkEeZ5xXmb'
                Source: 11.0.zrvAIscZsc.exe.ac0000.0.unpack, IHXFP9YcujtIe1fkv0/kTeD6mxEv4W0qYVQoh.csHigh entropy of concatenated method names: 'Q6RUMV6LIj', 'Oc1UOxefwD', 'ornUWFtLC6', 'hytUx6xd1I', 'L4NUv9v5d9', 'WP5UsWAMyC', 'ACsUplcTLj', 'xbdU0uPUah', 'rHFUE0Twv4', 'pAnUVksqey'
                Source: 11.0.zrvAIscZsc.exe.ac0000.0.unpack, dFh6INFVpRyg1i1XS0/qAIrjXyqoofwXavk63.csHigh entropy of concatenated method names: '.ctor', 'RwOarlePvA', 'L1NamsEp4Q', 'tctaM9GGtw', 'bAXaOxs1nZ', 'D0FanqTD6a', 'TMXaWlJFKf', 'jgxaxDfADP', 'aqUagHR5bo', 'qa1avyK3VB'
                Source: 11.0.zrvAIscZsc.exe.ac0000.0.unpack, ngYh84jGCP5wkphDFk5/yEIfrdj7Dt1Iw9K447j.csHigh entropy of concatenated method names: '.ctor', 'q9OaGjku7c', 'TJ7aAv00Et', 'f0jaDqJSk2', 'qBHaTNRD8W', 'xkNaQK4wah', 'rNpaw40VDI', 'CLMal09RDm', 'VSDaJ3xt4v', 'nGdazASDKU'
                Source: 11.0.zrvAIscZsc.exe.ac0000.0.unpack, bu1iYZjjaajwEIC7Iup/w9PdenjqgpAPWgp9wL5.csHigh entropy of concatenated method names: 'Dispose', 'QskaBtjAuY', 'AFqaPB2YbE', 'tVtaXuZSEy', 'get_Text', 'set_Text', '.ctor', 'OnPaint', 'rUR0VgYEXKD42V8HKGP', 'Fp8bSFYlanUNiKPqvWL'
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeFile created: C:\Users\user\AppData\Roaming\JxCmQoa.exeJump to dropped file

                Boot Survival:

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JxCmQoa' /XML 'C:\Users\user\AppData\Local\Temp\tmp3A6D.tmp'
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion:

                barindex
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeWindow / User API: threadDelayed 2106
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeWindow / User API: threadDelayed 7729
                Source: C:\Users\user\Desktop\zrvAIscZsc.exe TID: 4608Thread sleep time: -60764s >= -30000s
                Source: C:\Users\user\Desktop\zrvAIscZsc.exe TID: 4608Thread sleep time: -40000s >= -30000s
                Source: C:\Users\user\Desktop\zrvAIscZsc.exe TID: 5032Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\Desktop\zrvAIscZsc.exe TID: 3412Thread sleep time: -15679732462653109s >= -30000s
                Source: C:\Users\user\Desktop\zrvAIscZsc.exe TID: 5276Thread sleep count: 2106 > 30
                Source: C:\Users\user\Desktop\zrvAIscZsc.exe TID: 5276Thread sleep count: 7729 > 30
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeThread delayed: delay time: 60764
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeThread delayed: delay time: 40000
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeThread delayed: delay time: 922337203685477
                Source: zrvAIscZsc.exe, 0000000B.00000002.491809398.0000000006000000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: zrvAIscZsc.exeBinary or memory string: DdUXhZQ[fUE6Ws]YTSk6WLInYD73f[o5QsEYYq{nV]8XY[8XVpEzfoQZd5M[]WMZ][<IgogJD}4pfy]3[3Y5]DL[]}Y4[3Y5]D75esU[\moJezE[TiU[]qET]m8Z\3QqeMU[]K<IgogJD|YJg4E[eyQ3[3Y5]DL6e3Q5\xDjfoUZd5<pfTU6\osp\SQ[]mopg|Y5XlY5Y843[wEjfoUZd5<pfTU6\osp\SQ[e|<pU843[wEjfoQ[YDL[]nopgyMKX3QZ
                Source: zrvAIscZsc.exe, 0000000B.00000002.491809398.0000000006000000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: zrvAIscZsc.exe, 0000000B.00000002.491809398.0000000006000000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: zrvAIscZsc.exe, 0000000B.00000002.492576417.0000000006AD0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^
                Source: zrvAIscZsc.exe, 0000000B.00000002.491809398.0000000006000000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess information queried: ProcessInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeMemory allocated: page read and write | page guard

                HIPS / PFW / Operating System Protection Evasion:

                barindex
                Injects a PE file into a foreign processesShow sources
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeMemory written: C:\Users\user\Desktop\zrvAIscZsc.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JxCmQoa' /XML 'C:\Users\user\AppData\Local\Temp\tmp3A6D.tmp'
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeProcess created: C:\Users\user\Desktop\zrvAIscZsc.exe C:\Users\user\Desktop\zrvAIscZsc.exe
                Source: zrvAIscZsc.exe, 0000000B.00000002.486104908.0000000001830000.00000002.00000001.sdmpBinary or memory string: Program Manager
                Source: zrvAIscZsc.exe, 0000000B.00000002.486104908.0000000001830000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: zrvAIscZsc.exe, 0000000B.00000002.486104908.0000000001830000.00000002.00000001.sdmpBinary or memory string: Progman
                Source: zrvAIscZsc.exe, 0000000B.00000002.486104908.0000000001830000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Users\user\Desktop\zrvAIscZsc.exe VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Users\user\Desktop\zrvAIscZsc.exe VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\Desktop\zrvAIscZsc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                Stealing of Sensitive Information:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 11.2.zrvAIscZsc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.483340668.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 11.2.zrvAIscZsc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.488036302.0000000003020000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.487381781.0000000002F71000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.483340668.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: zrvAIscZsc.exe PID: 5388, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.488036302.0000000003020000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.487381781.0000000002F71000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: zrvAIscZsc.exe PID: 5388, type: MEMORY

                Remote Access Functionality:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 11.2.zrvAIscZsc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.483340668.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 11.2.zrvAIscZsc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.488036302.0000000003020000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.487381781.0000000002F71000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.483340668.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: zrvAIscZsc.exe PID: 5388, type: MEMORY

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection112Masquerading1OS Credential DumpingSecurity Software Discovery211Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Security Account ManagerVirtualization/Sandbox Evasion131SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsSystem Information Discovery113VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                zrvAIscZsc.exe27%VirustotalBrowse
                zrvAIscZsc.exe24%ReversingLabsByteCode-MSIL.Infostealer.Coins
                zrvAIscZsc.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\JxCmQoa.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\JxCmQoa.exe24%ReversingLabsByteCode-MSIL.Infostealer.Coins

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                11.2.zrvAIscZsc.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                http://ocsp.sectigo.com00%URL Reputationsafe
                http://ocsp.sectigo.com00%URL Reputationsafe
                http://ocsp.sectigo.com00%URL Reputationsafe
                http://ocsp.sectigo.com00%URL Reputationsafe
                http://www.jiyu-kobo.co.jp//b0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/Lb0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/tend~b0%Avira URL Cloudsafe
                http://79RmqEvtn7PDwz03.net0%Avira URL Cloudsafe
                http://IXudBJ.com0%Avira URL Cloudsafe
                http://www.founder.com.cn/cn(j0%Avira URL Cloudsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.fontbureau.comony0%Avira URL Cloudsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/80%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/80%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/80%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/6b0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/jp/Sb0%Avira URL Cloudsafe
                http://www.fontbureau.comwbb0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
                http://www.sakkal.comh0%Avira URL Cloudsafe
                http://www.founder.com.cn/cnt0%URL Reputationsafe
                http://www.founder.com.cn/cnt0%URL Reputationsafe
                http://www.founder.com.cn/cnt0%URL Reputationsafe
                http://www.galapagosdesign.com/OG0%Avira URL Cloudsafe
                http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                http://www.urwpp.de0%URL Reputationsafe
                http://www.urwpp.de0%URL Reputationsafe
                http://www.urwpp.de0%URL Reputationsafe
                http://www.sajatypeworks.come0%URL Reputationsafe
                http://www.sajatypeworks.come0%URL Reputationsafe
                http://www.sajatypeworks.come0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                http://www.fontbureau.com.TTF0%URL Reputationsafe
                http://www.fontbureau.com.TTF0%URL Reputationsafe
                http://www.fontbureau.com.TTF0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                http://www.sajatypeworks.comnoVq70%Avira URL Cloudsafe
                http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                https://sectigo.com/CPS00%URL Reputationsafe
                https://sectigo.com/CPS00%URL Reputationsafe
                https://sectigo.com/CPS00%URL Reputationsafe
                http://www.monotype.pF0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/Y0oZb70%Avira URL Cloudsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                http://www.founder.com.cn/cn:k0%Avira URL Cloudsafe
                http://www.fontbureau.co0%URL Reputationsafe
                http://www.fontbureau.co0%URL Reputationsafe
                http://www.fontbureau.co0%URL Reputationsafe
                http://www.founder.com.cn/cn.k0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                http://www.galapagosdesign.com/=bX0%Avira URL Cloudsafe
                http://www.founder.com.cn/cn/0%URL Reputationsafe
                http://www.founder.com.cn/cn/0%URL Reputationsafe
                http://www.founder.com.cn/cn/0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/:cT0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/jp/=bX0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/Y0/0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/Y0/0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/Y0/0%URL Reputationsafe
                http://www.galapagosdesign.com/UG0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/k0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/k0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/k0%URL Reputationsafe
                http://www.fontbureau.comalic0%URL Reputationsafe
                http://www.fontbureau.comalic0%URL Reputationsafe
                http://www.fontbureau.comalic0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/Eb0%Avira URL Cloudsafe
                http://www.sajatypeworks.com(0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/jp//b0%Avira URL Cloudsafe
                http://www.founder.com.c0n0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://127.0.0.1:HTTP/1.1zrvAIscZsc.exe, 0000000B.00000002.487381781.0000000002F71000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		low
                http://ocsp.sectigo.com0zrvAIscZsc.exe, 0000000B.00000002.492576417.0000000006AD0000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.jiyu-kobo.co.jp//bzrvAIscZsc.exe, 00000001.00000003.226342121.0000000005EC5000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://api.twitter.com/1/direct_messages.xml?since_id=zrvAIscZsc.exefalse
                  		high
                  http://www.jiyu-kobo.co.jp/LbzrvAIscZsc.exe, 00000001.00000003.226778337.0000000005EC5000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.jiyu-kobo.co.jp/tend~bzrvAIscZsc.exe, 00000001.00000003.226778337.0000000005EC5000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://79RmqEvtn7PDwz03.netzrvAIscZsc.exe, 0000000B.00000002.488554736.0000000003077000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://twitter.com/statuses/user_timeline.xml?screen_name=zrvAIscZsc.exefalse
                    		high
                    http://IXudBJ.comzrvAIscZsc.exe, 0000000B.00000002.487381781.0000000002F71000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.founder.com.cn/cn(jzrvAIscZsc.exe, 00000001.00000003.223702967.0000000005EC8000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.sajatypeworks.comzrvAIscZsc.exe, 00000001.00000003.220601227.0000000005EC3000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.comonyzrvAIscZsc.exe, 00000001.00000003.228993958.0000000005EC7000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.galapagosdesign.com/staff/dennis.htmzrvAIscZsc.exe, 00000001.00000003.230412883.0000000005ED2000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/8zrvAIscZsc.exe, 00000001.00000003.226778337.0000000005EC5000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/6bzrvAIscZsc.exe, 00000001.00000003.226778337.0000000005EC5000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/jp/SbzrvAIscZsc.exe, 00000001.00000003.226778337.0000000005EC5000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.fontbureau.comwbbzrvAIscZsc.exe, 00000001.00000003.228680755.0000000005EC5000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp//zrvAIscZsc.exe, 00000001.00000003.226778337.0000000005EC5000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.sakkal.comhzrvAIscZsc.exe, 00000001.00000003.227015943.0000000005EC5000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.founder.com.cn/cntzrvAIscZsc.exe, 00000001.00000003.223316502.0000000005ECE000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.galapagosdesign.com/OGzrvAIscZsc.exe, 00000001.00000003.229415378.0000000005ED3000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.ascendercorp.com/typedesigners.htmlzrvAIscZsc.exe, 00000001.00000003.227071655.0000000005F05000.00000004.00000001.sdmp, zrvAIscZsc.exe, 00000001.00000003.227015943.0000000005EC5000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.fonts.comzrvAIscZsc.exe, 00000001.00000003.221002353.0000000005EDB000.00000004.00000001.sdmpfalse
                      		high
                      http://www.urwpp.dezrvAIscZsc.exe, 00000001.00000003.228680755.0000000005EC5000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.sajatypeworks.comezrvAIscZsc.exe, 00000001.00000003.220601227.0000000005EC3000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.sakkal.comzrvAIscZsc.exe, 00000001.00000003.227015943.0000000005EC5000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com.TTFzrvAIscZsc.exe, 00000001.00000003.228680755.0000000005EC5000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipzrvAIscZsc.exe, 0000000B.00000002.483340668.0000000000402000.00000040.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.sajatypeworks.comnoVq7zrvAIscZsc.exe, 00000001.00000003.220601227.0000000005EC3000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#zrvAIscZsc.exe, 0000000B.00000002.492576417.0000000006AD0000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.comzrvAIscZsc.exe, 00000001.00000003.228993958.0000000005EC7000.00000004.00000001.sdmpfalse
                        		high
                        http://DynDns.comDynDNSzrvAIscZsc.exe, 0000000B.00000002.487381781.0000000002F71000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://sectigo.com/CPS0zrvAIscZsc.exe, 0000000B.00000002.492576417.0000000006AD0000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.monotype.pFzrvAIscZsc.exe, 00000001.00000003.230478680.0000000005ED6000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.jiyu-kobo.co.jp/Y0oZb7zrvAIscZsc.exe, 00000001.00000003.226778337.0000000005EC5000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%hazrvAIscZsc.exe, 0000000B.00000002.487381781.0000000002F71000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cn:kzrvAIscZsc.exe, 00000001.00000003.223702967.0000000005EC8000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.cozrvAIscZsc.exe, 00000001.00000003.228028659.0000000005EFE000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cn.kzrvAIscZsc.exe, 00000001.00000003.223702967.0000000005EC8000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://mail.privateemail.comzrvAIscZsc.exe, 0000000B.00000002.488773380.00000000030AC000.00000004.00000001.sdmpfalse
                          		high
                          http://www.jiyu-kobo.co.jp/jp/zrvAIscZsc.exe, 00000001.00000003.226778337.0000000005EC5000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.galapagosdesign.com/=bXzrvAIscZsc.exe, 00000001.00000003.229533656.0000000005EC5000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.founder.com.cn/cn/zrvAIscZsc.exe, 00000001.00000003.223702967.0000000005EC8000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cnzrvAIscZsc.exe, 00000001.00000003.223702967.0000000005EC8000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/frere-jones.htmlzrvAIscZsc.exe, 00000001.00000003.228318411.0000000005ED9000.00000004.00000001.sdmpfalse
                            		high
                            http://www.jiyu-kobo.co.jp/:cTzrvAIscZsc.exe, 00000001.00000003.226778337.0000000005EC5000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/jp/=bXzrvAIscZsc.exe, 00000001.00000003.226778337.0000000005EC5000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/Y0/zrvAIscZsc.exe, 00000001.00000003.226778337.0000000005EC5000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.galapagosdesign.com/UGzrvAIscZsc.exe, 00000001.00000003.229415378.0000000005ED3000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/zrvAIscZsc.exe, 00000001.00000003.226778337.0000000005EC5000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/kzrvAIscZsc.exe, 00000001.00000003.226778337.0000000005EC5000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/EbzrvAIscZsc.exe, 00000001.00000003.228993958.0000000005EC7000.00000004.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.comaliczrvAIscZsc.exe, 00000001.00000003.228993958.0000000005EC7000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/zrvAIscZsc.exe, 00000001.00000003.227982397.0000000005EFE000.00000004.00000001.sdmpfalse
                                		high
                                http://www.jiyu-kobo.co.jp/EbzrvAIscZsc.exe, 00000001.00000003.226778337.0000000005EC5000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.sajatypeworks.com(zrvAIscZsc.exe, 00000001.00000003.220601227.0000000005EC3000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		low
                                http://www.jiyu-kobo.co.jp/jp//bzrvAIscZsc.exe, 00000001.00000003.226778337.0000000005EC5000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.founder.com.c0nzrvAIscZsc.exe, 00000001.00000003.223507856.0000000005EC7000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown

                                Contacted IPs

                                No contacted IP infos

                                General Information

                                Joe Sandbox Version:33.0.0 White Diamond
                                Analysis ID:452693
                                Start date:22.07.2021
                                Start time:18:11:41
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 8m 42s
                                Hypervisor based Inspection enabled:false
                                Report type:light
                                Sample file name:zrvAIscZsc (renamed file extension from none to exe)
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                Number of analysed new started processes analysed:28
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@6/4@0/0
                                EGA Information:Failed
                                HDC Information:Failed
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 0
                                • Number of non-executed functions: 0
                                Cookbook Comments:
                                • Adjust boot time
                                • Enable AMSI
                                Warnings:
                                Show All
                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                18:13:04API Interceptor586x Sleep call for process: zrvAIscZsc.exe modified

                                Joe Sandbox View / Context

                                IPs

                                No context

                                Domains

                                No context

                                ASN

                                No context

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                C:\Users\user\AppData\Roaming\JxCmQoa.exePAYMENT ADVICE.docGet hashmaliciousBrowse

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\zrvAIscZsc.exe.log
                                  Process:C:\Users\user\Desktop\zrvAIscZsc.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:modified
                                  Size (bytes):1314
                                  Entropy (8bit):5.350128552078965
                                  Encrypted:false
                                  SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                  MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                  SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                  SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                  SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                  Malicious:true
                                  Reputation:high, very likely benign file
                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                  C:\Users\user\AppData\Local\Temp\tmp3A6D.tmp
                                  Process:C:\Users\user\Desktop\zrvAIscZsc.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1640
                                  Entropy (8bit):5.190145515642554
                                  Encrypted:false
                                  SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB0tn:cbh47TlNQ//rydbz9I3YODOLNdq30
                                  MD5:E872EE2B3C1DB2BA858FB9B7DAC7828E
                                  SHA1:2D73765ADEE9D3739B5837ACEA78E81F4B6A1941
                                  SHA-256:7F9639A09BEA900A382C53E70F3CC4EBB787233B718F190BF64192F73B5CCC70
                                  SHA-512:FF4DE3F91526649B17B3CCB34E19A6917F0763747F4A308F4FAF01541294C6101AA5A21D321D9A2AAD15C77CC297DF6F0C304553755D323C94F8EF45E9A262FD
                                  Malicious:true
                                  Reputation:low
                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                  C:\Users\user\AppData\Roaming\JxCmQoa.exe
                                  Process:C:\Users\user\Desktop\zrvAIscZsc.exe
                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Category:dropped
                                  Size (bytes):918016
                                  Entropy (8bit):7.288418109516271
                                  Encrypted:false
                                  SSDEEP:24576:o8mDgYIvzz43Apj32FeC/V87ZXKzahp/:e1KHcApj3ql87EO
                                  MD5:E85A0E1E81ACBCEA6A0E10EEEDF32F6D
                                  SHA1:3C613A4D232645CCCBC7C1D8A3A8AFB54CD2D56C
                                  SHA-256:AE7399822AD5EF4D9BD2690DF74F6F1B472103380BE74FCA33611CE7265EBC01
                                  SHA-512:E9CEF57CAA3EC7A32D526934BF83154E555B0577629FA527028AD9D6385C80629917A2C46BE82388616A670F0830F4EB23A883A2CB34DF7EC28330A7A1B4E77A
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  • Antivirus: ReversingLabs, Detection: 24%
                                  Joe Sandbox View:
                                  • Filename: PAYMENT ADVICE.doc, Detection: malicious, Browse
                                  Reputation:low
                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y..`.................V..........nu... ........@.. ....................................@................................. u..K............................`....................................................... ............... ..H............text...tU... ...V.................. ..`.sdata...............Z..............@....rsrc................\..............@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                  C:\Users\user\AppData\Roaming\JxCmQoa.exe:Zone.Identifier
                                  Process:C:\Users\user\Desktop\zrvAIscZsc.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):26
                                  Entropy (8bit):3.95006375643621
                                  Encrypted:false
                                  SSDEEP:3:ggPYV:rPYV
                                  MD5:187F488E27DB4AF347237FE461A079AD
                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                  Malicious:true
                                  Preview: [ZoneTransfer]....ZoneId=0

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Entropy (8bit):7.288418109516271
                                  TrID:
                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                  • Windows Screen Saver (13104/52) 0.07%
                                  • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                  File name:zrvAIscZsc.exe
                                  File size:918016
                                  MD5:e85a0e1e81acbcea6a0e10eeedf32f6d
                                  SHA1:3c613a4d232645cccbc7c1d8a3a8afb54cd2d56c
                                  SHA256:ae7399822ad5ef4d9bd2690df74f6f1b472103380be74fca33611ce7265ebc01
                                  SHA512:e9cef57caa3ec7a32d526934bf83154e555b0577629fa527028ad9d6385c80629917a2c46be82388616a670f0830f4eb23a883a2cb34df7ec28330a7a1b4e77a
                                  SSDEEP:24576:o8mDgYIvzz43Apj32FeC/V87ZXKzahp/:e1KHcApj3ql87EO
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y..`.................V..........nu... ........@.. ....................................@................................

                                  File Icon

                                  Icon Hash:cc92316d713396e8

                                  Static PE Info

                                  General

                                  Entrypoint:0x4c756e
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                  Time Stamp:0x60F91A79 [Thu Jul 22 07:12:57 2021 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:v4.0.30319
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                  Entrypoint Preview

                                  Instruction
                                  jmp dword ptr [00402000h]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xc75200x4b.text
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xca0000x1a314.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xe60000xc.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x20000xc55740xc5600False0.777286850855data7.56992954159IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                  .sdata0xc80000x180x200False0.060546875data0.456640975135IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                  .rsrc0xca0000x1a3140x1a400False0.141220238095data3.00130868607IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0xe60000xc0x200False0.044921875data0.0940979256627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountry
                                  RT_ICON0xca2200x468GLS_BINARY_LSB_FIRST
                                  RT_ICON0xca6880x162aPNG image data, 256 x 256, 8-bit colormap, non-interlaced
                                  RT_ICON0xcbcb40x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                  RT_ICON0xce25c0x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                                  RT_ICON0xcf3040x10828dBase III DBT, version number 0, next free block index 40
                                  RT_ICON0xdfb2c0x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                  RT_GROUP_ICON0xe3d540x5adata
                                  RT_VERSION0xe3db00x376data
                                  RT_MANIFEST0xe41280x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                  Imports

                                  DLLImport
                                  mscoree.dll_CorExeMain

                                  Version Infos

                                  DescriptionData
                                  Translation0x0000 0x04b0
                                  LegalCopyright(c) 2019 Riot Games, Inc.
                                  Assembly Version2.0.26.9
                                  InternalNameLSATRANSLATEDNA.exe
                                  FileVersion2.0.26.9
                                  CompanyNameRiot Games, Inc.
                                  LegalTrademarks
                                  Comments
                                  ProductNameRiot Client
                                  ProductVersion2.0.26.9
                                  FileDescriptionRiot Client
                                  OriginalFilenameLSATRANSLATEDNA.exe

                                  Network Behavior

                                  No network behavior found

                                  Code Manipulations

                                  Statistics

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  Analysis Process: zrvAIscZsc.exe PID: 2528 Parent PID: 5520

                                  General

                                  Start time:18:12:36
                                  Start date:22/07/2021
                                  Path:C:\Users\user\Desktop\zrvAIscZsc.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Users\user\Desktop\zrvAIscZsc.exe'
                                  Imagebase:0xb00000
                                  File size:918016 bytes
                                  MD5 hash:E85A0E1E81ACBCEA6A0E10EEEDF32F6D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Reputation:low

                                  Analysis Process: schtasks.exe PID: 5368 Parent PID: 2528

                                  General

                                  Start time:18:13:05
                                  Start date:22/07/2021
                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JxCmQoa' /XML 'C:\Users\user\AppData\Local\Temp\tmp3A6D.tmp'
                                  Imagebase:0x9f0000
                                  File size:185856 bytes
                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Analysis Process: conhost.exe PID: 5680 Parent PID: 5368

                                  General

                                  Start time:18:13:06
                                  Start date:22/07/2021
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff6b2800000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Analysis Process: zrvAIscZsc.exe PID: 5388 Parent PID: 2528

                                  General

                                  Start time:18:13:07
                                  Start date:22/07/2021
                                  Path:C:\Users\user\Desktop\zrvAIscZsc.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Users\user\Desktop\zrvAIscZsc.exe
                                  Imagebase:0xac0000
                                  File size:918016 bytes
                                  MD5 hash:E85A0E1E81ACBCEA6A0E10EEEDF32F6D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.488036302.0000000003020000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.488036302.0000000003020000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.487381781.0000000002F71000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.487381781.0000000002F71000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.483340668.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000B.00000002.483340668.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                  Reputation:low

                                  Disassembly

                                  Code Analysis

                                  Reset < >