Loading ...

Play interactive tourEdit tour

Windows Analysis Report 1FB6ncJ5XP.exe

Overview

General Information

Sample Name:1FB6ncJ5XP.exe
Analysis ID:500301
MD5:e90d3150b729f9e9f8271ed964da0d14
SHA1:08f865e0f25ca9f7e19f04e8d437214f924c3bb8
SHA256:b96ae4aab134c7612bd21311ee76a7b0b0dc14af7b2e10713564e50fc739967e
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Connects to many ports of the same IP (likely port scanning)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • 1FB6ncJ5XP.exe (PID: 6448 cmdline: 'C:\Users\user\Desktop\1FB6ncJ5XP.exe' MD5: E90D3150B729F9E9F8271ED964DA0D14)
    • schtasks.exe (PID: 7156 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QLpzxrlNoQJN' /XML 'C:\Users\user\AppData\Local\Temp\tmpCE1C.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • 1FB6ncJ5XP.exe (PID: 2832 cmdline: C:\Users\user\Desktop\1FB6ncJ5XP.exe MD5: E90D3150B729F9E9F8271ED964DA0D14)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "a34ced25-fb8b-4570-a6e3-066f7f9b", "Group": "AAA", "Domain1": "ella666.duckdns.org", "Domain2": "mikeljack321.ddns.net", "Port": 31829, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "ella666.duckdns.org"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.573289700.0000000005640000.00000004.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xe75:$x1: NanoCore.ClientPluginHost
  • 0xe8f:$x2: IClientNetworkHost
00000007.00000002.573289700.0000000005640000.00000004.00020000.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xe75:$x2: NanoCore.ClientPluginHost
  • 0x1261:$s3: PipeExists
  • 0x1136:$s4: PipeCreated
  • 0xeb0:$s5: IClientLoggingHost
00000007.00000002.573397352.0000000005780000.00000004.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xf7ad:$x1: NanoCore.ClientPluginHost
  • 0xf7da:$x2: IClientNetworkHost
00000007.00000002.573397352.0000000005780000.00000004.00020000.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xf7ad:$x2: NanoCore.ClientPluginHost
  • 0x10888:$s4: PipeCreated
  • 0xf7c7:$s5: IClientLoggingHost
00000007.00000002.573397352.0000000005780000.00000004.00020000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    Click to see the 20 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    7.2.1FB6ncJ5XP.exe.5640000.6.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    7.2.1FB6ncJ5XP.exe.5640000.6.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    7.2.1FB6ncJ5XP.exe.3d6ff64.3.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xd9ad:$x1: NanoCore.ClientPluginHost
    • 0xd9da:$x2: IClientNetworkHost
    7.2.1FB6ncJ5XP.exe.3d6ff64.3.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xd9ad:$x2: NanoCore.ClientPluginHost
    • 0xea88:$s4: PipeCreated
    • 0xd9c7:$s5: IClientLoggingHost
    7.2.1FB6ncJ5XP.exe.3d6ff64.3.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 31 entries

      Sigma Overview

      AV Detection:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\1FB6ncJ5XP.exe, ProcessId: 2832, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      E-Banking Fraud:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\1FB6ncJ5XP.exe, ProcessId: 2832, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Stealing of Sensitive Information:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\1FB6ncJ5XP.exe, ProcessId: 2832, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Remote Access Functionality:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\1FB6ncJ5XP.exe, ProcessId: 2832, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 00000007.00000002.572012572.0000000003D69000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "a34ced25-fb8b-4570-a6e3-066f7f9b", "Group": "AAA", "Domain1": "ella666.duckdns.org", "Domain2": "mikeljack321.ddns.net", "Port": 31829, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "ella666.duckdns.org"}
      Multi AV Scanner detection for submitted fileShow sources
      Source: 1FB6ncJ5XP.exeVirustotal: Detection: 36%Perma Link
      Source: 1FB6ncJ5XP.exeReversingLabs: Detection: 42%
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\QLpzxrlNoQJN.exeReversingLabs: Detection: 42%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 7.2.1FB6ncJ5XP.exe.3d6ff64.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.1FB6ncJ5XP.exe.5784629.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.1FB6ncJ5XP.exe.3d6ff64.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.1FB6ncJ5XP.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.1FB6ncJ5XP.exe.5780000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.1FB6ncJ5XP.exe.3d7458d.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.1FB6ncJ5XP.exe.3dc6730.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.1FB6ncJ5XP.exe.5780000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.1FB6ncJ5XP.exe.3dc6730.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.1FB6ncJ5XP.exe.3d6b12e.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000007.00000002.573397352.0000000005780000.00000004.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.340496644.0000000003EE2000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.566743292.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.572012572.0000000003D69000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.340027547.0000000003D59000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 1FB6ncJ5XP.exe PID: 6448, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: 1FB6ncJ5XP.exe PID: 2832, type: MEMORYSTR
      Source: 7.2.1FB6ncJ5XP.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 7.2.1FB6ncJ5XP.exe.5780000.8.unpackAvira: Label: TR/NanoCore.fadte
      Source: 1FB6ncJ5XP.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 1FB6ncJ5XP.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

      Networking:

      barindex
      Connects to many ports of the same IP (likely port scanning)Show sources
      Source: global trafficTCP traffic: 185.140.53.6 ports 31829,1,2,3,8,9
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: ella666.duckdns.org
      Source: Malware configuration extractorURLs: mikeljack321.ddns.net
      Uses dynamic DNS servicesShow sources
      Source: unknownDNS query: name: ella666.duckdns.org
      Source: unknownDNS query: name: mikeljack321.ddns.net
      Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
      Source: Joe Sandbox ViewIP Address: 185.140.53.6 185.140.53.6
      Source: global trafficTCP traffic: 192.168.2.3:49754 -> 185.140.53.6:31829
      Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: 1FB6ncJ5XP.exeString found in binary or memory: http://github.com/besentv
      Source: 1FB6ncJ5XP.exe, 00000000.00000002.339237051.0000000002D51000.00000004.00000001.sdmp, 1FB6ncJ5XP.exe, 00000007.00000002.569044222.0000000002D77000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: 1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: unknownDNS traffic detected: queries for: ella666.duckdns.org
      Source: 1FB6ncJ5XP.exe, 00000007.00000002.572012572.0000000003D69000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 7.2.1FB6ncJ5XP.exe.3d6ff64.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.1FB6ncJ5XP.exe.5784629.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.1FB6ncJ5XP.exe.3d6ff64.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.1FB6ncJ5XP.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.1FB6ncJ5XP.exe.5780000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.1FB6ncJ5XP.exe.3d7458d.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.1FB6ncJ5XP.exe.3dc6730.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.1FB6ncJ5XP.exe.5780000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.1FB6ncJ5XP.exe.3dc6730.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.1FB6ncJ5XP.exe.3d6b12e.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000007.00000002.573397352.0000000005780000.00000004.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.340496644.0000000003EE2000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.566743292.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.572012572.0000000003D69000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.340027547.0000000003D59000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 1FB6ncJ5XP.exe PID: 6448, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: 1FB6ncJ5XP.exe PID: 2832, type: MEMORYSTR

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 7.2.1FB6ncJ5XP.exe.5640000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 7.2.1FB6ncJ5XP.exe.3d6ff64.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 7.2.1FB6ncJ5XP.exe.5784629.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 7.2.1FB6ncJ5XP.exe.3d6ff64.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 7.2.1FB6ncJ5XP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 7.2.1FB6ncJ5XP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 7.2.1FB6ncJ5XP.exe.5780000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 7.2.1FB6ncJ5XP.exe.3d7458d.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.1FB6ncJ5XP.exe.3dc6730.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.1FB6ncJ5XP.exe.3dc6730.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 7.2.1FB6ncJ5XP.exe.5780000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.1FB6ncJ5XP.exe.3dc6730.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.1FB6ncJ5XP.exe.3dc6730.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 7.2.1FB6ncJ5XP.exe.3d6b12e.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 7.2.1FB6ncJ5XP.exe.3d6b12e.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000007.00000002.573289700.0000000005640000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000007.00000002.573397352.0000000005780000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.340496644.0000000003EE2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.340496644.0000000003EE2000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000007.00000002.566743292.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000007.00000002.566743292.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000007.00000002.572012572.0000000003D69000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.340027547.0000000003D59000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.340027547.0000000003D59000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: 1FB6ncJ5XP.exe PID: 6448, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: 1FB6ncJ5XP.exe PID: 6448, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: 1FB6ncJ5XP.exe PID: 2832, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: 1FB6ncJ5XP.exe PID: 2832, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      .NET source code contains very large stringsShow sources
      Source: 1FB6ncJ5XP.exe, MainUI.csLong String: Length: 23851
      Source: 1FB6ncJ5XP.exe, MainUI.csLong String: Length: 23852
      Source: QLpzxrlNoQJN.exe.0.dr, MainUI.csLong String: Length: 23851
      Source: QLpzxrlNoQJN.exe.0.dr, MainUI.csLong String: Length: 23852
      Source: 0.0.1FB6ncJ5XP.exe.9c0000.0.unpack, MainUI.csLong String: Length: 23851
      Source: 0.0.1FB6ncJ5XP.exe.9c0000.0.unpack, MainUI.csLong String: Length: 23852
      Source: 0.2.1FB6ncJ5XP.exe.9c0000.0.unpack, MainUI.csLong String: Length: 23851
      Source: 0.2.1FB6ncJ5XP.exe.9c0000.0.unpack, MainUI.csLong String: Length: 23852
      Source: 7.2.1FB6ncJ5XP.exe.a40000.1.unpack, MainUI.csLong String: Length: 23851
      Source: 7.2.1FB6ncJ5XP.exe.a40000.1.unpack, MainUI.csLong String: Length: 23852
      Source: 7.0.1FB6ncJ5XP.exe.a40000.0.unpack, MainUI.csLong String: Length: 23851
      Source: 7.0.1FB6ncJ5XP.exe.a40000.0.unpack, MainUI.csLong String: Length: 23852
      Source: 1FB6ncJ5XP.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 7.2.1FB6ncJ5XP.exe.5640000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 7.2.1FB6ncJ5XP.exe.5640000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 7.2.1FB6ncJ5XP.exe.3d6ff64.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 7.2.1FB6ncJ5XP.exe.3d6ff64.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 7.2.1FB6ncJ5XP.exe.5784629.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 7.2.1FB6ncJ5XP.exe.5784629.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 7.2.1FB6ncJ5XP.exe.3d6ff64.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 7.2.1FB6ncJ5XP.exe.3d6ff64.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 7.2.1FB6ncJ5XP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 7.2.1FB6ncJ5XP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 7.2.1FB6ncJ5XP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 7.2.1FB6ncJ5XP.exe.5780000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 7.2.1FB6ncJ5XP.exe.5780000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 7.2.1FB6ncJ5XP.exe.3d7458d.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 7.2.1FB6ncJ5XP.exe.3d7458d.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.1FB6ncJ5XP.exe.3dc6730.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.1FB6ncJ5XP.exe.3dc6730.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.1FB6ncJ5XP.exe.3dc6730.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 7.2.1FB6ncJ5XP.exe.5780000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 7.2.1FB6ncJ5XP.exe.5780000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.1FB6ncJ5XP.exe.3dc6730.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.1FB6ncJ5XP.exe.3dc6730.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.1FB6ncJ5XP.exe.3dc6730.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 7.2.1FB6ncJ5XP.exe.3d6b12e.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 7.2.1FB6ncJ5XP.exe.3d6b12e.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 7.2.1FB6ncJ5XP.exe.3d6b12e.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000007.00000002.573289700.0000000005640000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000007.00000002.573289700.0000000005640000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000007.00000002.573397352.0000000005780000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000007.00000002.573397352.0000000005780000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000000.00000002.340496644.0000000003EE2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.340496644.0000000003EE2000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000007.00000002.566743292.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000007.00000002.566743292.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000007.00000002.572012572.0000000003D69000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000002.340027547.0000000003D59000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.340027547.0000000003D59000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: 1FB6ncJ5XP.exe PID: 6448, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: 1FB6ncJ5XP.exe PID: 6448, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: 1FB6ncJ5XP.exe PID: 2832, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: 1FB6ncJ5XP.exe PID: 2832, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeCode function: 0_2_009C3266
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeCode function: 0_2_0116E6D0
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeCode function: 0_2_0116C0B4
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeCode function: 0_2_0116E6CA
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeCode function: 0_2_009C3292
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeCode function: 7_2_00A43266
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeCode function: 7_2_0528E471
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeCode function: 7_2_0528E480
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeCode function: 7_2_0528BBD4
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeCode function: 7_2_00A43292
      Source: 1FB6ncJ5XP.exeBinary or memory string: OriginalFilename vs 1FB6ncJ5XP.exe
      Source: 1FB6ncJ5XP.exe, 00000000.00000002.337326122.00000000009C2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameReadOnlyDictionaryValueCollecti.exeZ vs 1FB6ncJ5XP.exe
      Source: 1FB6ncJ5XP.exe, 00000000.00000002.344947775.0000000007BD0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll< vs 1FB6ncJ5XP.exe
      Source: 1FB6ncJ5XP.exeBinary or memory string: OriginalFilename vs 1FB6ncJ5XP.exe
      Source: 1FB6ncJ5XP.exe, 00000007.00000000.334824506.0000000000A42000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameReadOnlyDictionaryValueCollecti.exeZ vs 1FB6ncJ5XP.exe
      Source: 1FB6ncJ5XP.exe, 00000007.00000002.569044222.0000000002D77000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs 1FB6ncJ5XP.exe
      Source: 1FB6ncJ5XP.exe, 00000007.00000002.572012572.0000000003D69000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs 1FB6ncJ5XP.exe
      Source: 1FB6ncJ5XP.exe, 00000007.00000002.572012572.0000000003D69000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs 1FB6ncJ5XP.exe
      Source: 1FB6ncJ5XP.exeBinary or memory string: OriginalFilenameReadOnlyDictionaryValueCollecti.exeZ vs 1FB6ncJ5XP.exe
      Source: 1FB6ncJ5XP.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: QLpzxrlNoQJN.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: 1FB6ncJ5XP.exeVirustotal: Detection: 36%
      Source: 1FB6ncJ5XP.exeReversingLabs: Detection: 42%
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeFile read: C:\Users\user\Desktop\1FB6ncJ5XP.exeJump to behavior
      Source: 1FB6ncJ5XP.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: unknownProcess created: C:\Users\user\Desktop\1FB6ncJ5XP.exe 'C:\Users\user\Desktop\1FB6ncJ5XP.exe'
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QLpzxrlNoQJN' /XML 'C:\Users\user\AppData\Local\Temp\tmpCE1C.tmp'
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess created: C:\Users\user\Desktop\1FB6ncJ5XP.exe C:\Users\user\Desktop\1FB6ncJ5XP.exe
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QLpzxrlNoQJN' /XML 'C:\Users\user\AppData\Local\Temp\tmpCE1C.tmp'
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess created: C:\Users\user\Desktop\1FB6ncJ5XP.exe C:\Users\user\Desktop\1FB6ncJ5XP.exe
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeFile created: C:\Users\user\AppData\Roaming\QLpzxrlNoQJN.exeJump to behavior
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeFile created: C:\Users\user\AppData\Local\Temp\tmpCE1C.tmpJump to behavior
      Source: classification engineClassification label: mal100.troj.evad.winEXE@6/5@21/2
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: 1FB6ncJ5XP.exe, MainUI.csBase64 encoded string: 'z760SX4vNzTp1zAiGm7EOcvXQ73aAnmJcoBkHevETfGjClt0Ckps3dJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfEPGoZkY//0V+AKhOvN0DJJ7+S94mIXyNJIbEM8wXu9RRQqJWuC3FrHmsILWBQhCd0JYJL0oCou3HLeFY/tfODFsAHttkjELImcm4PmHokJ/IZkvJYAS7wdxxR0ucQ2rXb5PA07EW+iAT+S1Fd6XhRGtD0RCdSl79a3o5qDxiRLTt738SwYrI/RcoBkHevETfEG0n3G8swGVekOS8Rl2bCgKWo3nMpgGN0I4sCDlBwCLjorCvEXSA31aAMwo08+0DMkgFteO08gHG4MYvn8mmoPNoT7cY+1oiL5clkvONf/qOsVBGETKuh7G+433pb20twzPiYPROLajXJmfIX4xEeR8CIct+EdXwoNngFwframfaQxkcyxBDamcoBkHevETfFyf7SFhWRnkXJmfIX4xEeREE+RTZCOBIzyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRfGOc81PRz/5qNEpPUazHddJmfIX4xEeRe9RV/B9diXByf7SFhWRnkYUcfS9P3FIz7bK5mUerbdG7Kju1zpB3ND5rV3W+sCaCXThGcq7fYMlyf7SFhWRnkYY0kdWvfupPeJ8FT9ZEwwylYmLWPKPLUYkOS8Rl2bCgEG8rNLvRcMPyf7SFhWRnkXJmfIX4xEeRWyiXM+hWRdkSJsv101FHLpkiQ0YM4TrstaDNdUfGlr3JBu/VQbGaZXJmfIX4xEeRcoBkHevETfDod10WLPelYlJOP3kV1pCC0LJyQKdZTmAhmnvBiOft/3W21+QGcg+IcoBkHevETfD0rNOLNKuPa6XS3J0jDwm2coBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkSnFrmy+9MDdox6WpNhcaOWHf20UQbThqptAdBPW0F/L7v5cAKUkCEFyf7SFhWRnkX8Gp9uczezdcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfDAO3GzDZxmxgyNPniRLTVVrGWfkT9nVu6jdWaHudHyNVhHNX99X1Z1nnRh2vWUTbz60E/3VyfInum+oyJ6f31P8O933aYNPo3pE3O1BCcZANW4Jx0wb+Lxy1BFQvxQBbPSzBwTLcx43nhuBQ+ez2zzfGOc81PRz/4KlQx0Ey4oh27k3rHtDo4LSyQasRgalI6GB1s6oIn/7zyKYFnVw0EH5PTryEeskC+EqekSQGxNYF6SNYwiZT7DpKmB1ASFXECDd5rpY4Z9plBEIRjYgNQt8Z/5eDpQC6WThUpmNSfEbJ55Q/wMEpXKT/4bfh78OgFRYOnW2LNuuL5g4/u6GXH8EOvXDOtTnzArlmBxXPtn/jJXw2MqE5Cwh8yf8e0IGckJusbYzUvz5A2c4/ej2ulefAJWsFJytdWQbE+SNWhoSjvo18YOBhgpp84Ch50aBi9XGJALhMefqCxmD9JIVyGTwzF05GgrwEvGmYSEs3r3GNmTm3oKhw9A8cyrpxXOhXOkWWb8vvep1qCdNK8q4npkAq8XhHbA+1YjU3srpfNWiqkUpUH4+xj0vAXkSrkxCP/BRdMeMQ0ltf3tGf5skmWtv8ZNMFJKa4W9WSEIsHq7uOwB+ae9xDcfJH/dL+eHdcapI7V6ioIVQ8LMoQIPbPVwvsaI+UDbnoialb2QdCHR9u+trnwFcxA6S7fRluMjeprF+1txeU3n++Af3qfigy4LbfB4/YRl+EuIc8CfCrTlcrP0rskBklKHcs80cdH/SuzzLu9Krnr08hfdje1G8zQAbJkZD70zNuJBk0Wjf6dyOHchlfjgQvbuz0r757egiFKBU5ETg+bxJ4EbkL5vsPaBfpwE3IiQZ3eZVcSW9xEY64a51su0XTz7IZcLfCM0wRpYLbC3dOvq2/FFQ6/GObH0BA/baNel0Q2s1yXnFo86wi+sJW6vAAajbJYmh6hHL3pSYAo97tWINbF22Im4TR33ulRQ6HW7r1aQ6wy5RRUKb+/jiZGsux8I3D1H5XqNuQbTli4JJZ07v62
      Source: QLpzxrlNoQJN.exe.0.dr, MainUI.csBase64 encoded string: 'z760SX4vNzTp1zAiGm7EOcvXQ73aAnmJcoBkHevETfGjClt0Ckps3dJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfEPGoZkY//0V+AKhOvN0DJJ7+S94mIXyNJIbEM8wXu9RRQqJWuC3FrHmsILWBQhCd0JYJL0oCou3HLeFY/tfODFsAHttkjELImcm4PmHokJ/IZkvJYAS7wdxxR0ucQ2rXb5PA07EW+iAT+S1Fd6XhRGtD0RCdSl79a3o5qDxiRLTt738SwYrI/RcoBkHevETfEG0n3G8swGVekOS8Rl2bCgKWo3nMpgGN0I4sCDlBwCLjorCvEXSA31aAMwo08+0DMkgFteO08gHG4MYvn8mmoPNoT7cY+1oiL5clkvONf/qOsVBGETKuh7G+433pb20twzPiYPROLajXJmfIX4xEeR8CIct+EdXwoNngFwframfaQxkcyxBDamcoBkHevETfFyf7SFhWRnkXJmfIX4xEeREE+RTZCOBIzyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRfGOc81PRz/5qNEpPUazHddJmfIX4xEeRe9RV/B9diXByf7SFhWRnkYUcfS9P3FIz7bK5mUerbdG7Kju1zpB3ND5rV3W+sCaCXThGcq7fYMlyf7SFhWRnkYY0kdWvfupPeJ8FT9ZEwwylYmLWPKPLUYkOS8Rl2bCgEG8rNLvRcMPyf7SFhWRnkXJmfIX4xEeRWyiXM+hWRdkSJsv101FHLpkiQ0YM4TrstaDNdUfGlr3JBu/VQbGaZXJmfIX4xEeRcoBkHevETfDod10WLPelYlJOP3kV1pCC0LJyQKdZTmAhmnvBiOft/3W21+QGcg+IcoBkHevETfD0rNOLNKuPa6XS3J0jDwm2coBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkSnFrmy+9MDdox6WpNhcaOWHf20UQbThqptAdBPW0F/L7v5cAKUkCEFyf7SFhWRnkX8Gp9uczezdcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfDAO3GzDZxmxgyNPniRLTVVrGWfkT9nVu6jdWaHudHyNVhHNX99X1Z1nnRh2vWUTbz60E/3VyfInum+oyJ6f31P8O933aYNPo3pE3O1BCcZANW4Jx0wb+Lxy1BFQvxQBbPSzBwTLcx43nhuBQ+ez2zzfGOc81PRz/4KlQx0Ey4oh27k3rHtDo4LSyQasRgalI6GB1s6oIn/7zyKYFnVw0EH5PTryEeskC+EqekSQGxNYF6SNYwiZT7DpKmB1ASFXECDd5rpY4Z9plBEIRjYgNQt8Z/5eDpQC6WThUpmNSfEbJ55Q/wMEpXKT/4bfh78OgFRYOnW2LNuuL5g4/u6GXH8EOvXDOtTnzArlmBxXPtn/jJXw2MqE5Cwh8yf8e0IGckJusbYzUvz5A2c4/ej2ulefAJWsFJytdWQbE+SNWhoSjvo18YOBhgpp84Ch50aBi9XGJALhMefqCxmD9JIVyGTwzF05GgrwEvGmYSEs3r3GNmTm3oKhw9A8cyrpxXOhXOkWWb8vvep1qCdNK8q4npkAq8XhHbA+1YjU3srpfNWiqkUpUH4+xj0vAXkSrkxCP/BRdMeMQ0ltf3tGf5skmWtv8ZNMFJKa4W9WSEIsHq7uOwB+ae9xDcfJH/dL+eHdcapI7V6ioIVQ8LMoQIPbPVwvsaI+UDbnoialb2QdCHR9u+trnwFcxA6S7fRluMjeprF+1txeU3n++Af3qfigy4LbfB4/YRl+EuIc8CfCrTlcrP0rskBklKHcs80cdH/SuzzLu9Krnr08hfdje1G8zQAbJkZD70zNuJBk0Wjf6dyOHchlfjgQvbuz0r757egiFKBU5ETg+bxJ4EbkL5vsPaBfpwE3IiQZ3eZVcSW9xEY64a51su0XTz7IZcLfCM0wRpYLbC3dOvq2/FFQ6/GObH0BA/baNel0Q2s1yXnFo86wi+sJW6vAAajbJYmh6hHL3pSYAo97tWINbF22Im4TR33ulRQ6HW7r1aQ6wy5RRUKb+/jiZGsux8I3D1H5XqNuQbTli4JJZ07v62
      Source: 0.0.1FB6ncJ5XP.exe.9c0000.0.unpack, MainUI.csBase64 encoded string: 'z760SX4vNzTp1zAiGm7EOcvXQ73aAnmJcoBkHevETfGjClt0Ckps3dJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfEPGoZkY//0V+AKhOvN0DJJ7+S94mIXyNJIbEM8wXu9RRQqJWuC3FrHmsILWBQhCd0JYJL0oCou3HLeFY/tfODFsAHttkjELImcm4PmHokJ/IZkvJYAS7wdxxR0ucQ2rXb5PA07EW+iAT+S1Fd6XhRGtD0RCdSl79a3o5qDxiRLTt738SwYrI/RcoBkHevETfEG0n3G8swGVekOS8Rl2bCgKWo3nMpgGN0I4sCDlBwCLjorCvEXSA31aAMwo08+0DMkgFteO08gHG4MYvn8mmoPNoT7cY+1oiL5clkvONf/qOsVBGETKuh7G+433pb20twzPiYPROLajXJmfIX4xEeR8CIct+EdXwoNngFwframfaQxkcyxBDamcoBkHevETfFyf7SFhWRnkXJmfIX4xEeREE+RTZCOBIzyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRfGOc81PRz/5qNEpPUazHddJmfIX4xEeRe9RV/B9diXByf7SFhWRnkYUcfS9P3FIz7bK5mUerbdG7Kju1zpB3ND5rV3W+sCaCXThGcq7fYMlyf7SFhWRnkYY0kdWvfupPeJ8FT9ZEwwylYmLWPKPLUYkOS8Rl2bCgEG8rNLvRcMPyf7SFhWRnkXJmfIX4xEeRWyiXM+hWRdkSJsv101FHLpkiQ0YM4TrstaDNdUfGlr3JBu/VQbGaZXJmfIX4xEeRcoBkHevETfDod10WLPelYlJOP3kV1pCC0LJyQKdZTmAhmnvBiOft/3W21+QGcg+IcoBkHevETfD0rNOLNKuPa6XS3J0jDwm2coBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkSnFrmy+9MDdox6WpNhcaOWHf20UQbThqptAdBPW0F/L7v5cAKUkCEFyf7SFhWRnkX8Gp9uczezdcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfDAO3GzDZxmxgyNPniRLTVVrGWfkT9nVu6jdWaHudHyNVhHNX99X1Z1nnRh2vWUTbz60E/3VyfInum+oyJ6f31P8O933aYNPo3pE3O1BCcZANW4Jx0wb+Lxy1BFQvxQBbPSzBwTLcx43nhuBQ+ez2zzfGOc81PRz/4KlQx0Ey4oh27k3rHtDo4LSyQasRgalI6GB1s6oIn/7zyKYFnVw0EH5PTryEeskC+EqekSQGxNYF6SNYwiZT7DpKmB1ASFXECDd5rpY4Z9plBEIRjYgNQt8Z/5eDpQC6WThUpmNSfEbJ55Q/wMEpXKT/4bfh78OgFRYOnW2LNuuL5g4/u6GXH8EOvXDOtTnzArlmBxXPtn/jJXw2MqE5Cwh8yf8e0IGckJusbYzUvz5A2c4/ej2ulefAJWsFJytdWQbE+SNWhoSjvo18YOBhgpp84Ch50aBi9XGJALhMefqCxmD9JIVyGTwzF05GgrwEvGmYSEs3r3GNmTm3oKhw9A8cyrpxXOhXOkWWb8vvep1qCdNK8q4npkAq8XhHbA+1YjU3srpfNWiqkUpUH4+xj0vAXkSrkxCP/BRdMeMQ0ltf3tGf5skmWtv8ZNMFJKa4W9WSEIsHq7uOwB+ae9xDcfJH/dL+eHdcapI7V6ioIVQ8LMoQIPbPVwvsaI+UDbnoialb2QdCHR9u+trnwFcxA6S7fRluMjeprF+1txeU3n++Af3qfigy4LbfB4/YRl+EuIc8CfCrTlcrP0rskBklKHcs80cdH/SuzzLu9Krnr08hfdje1G8zQAbJkZD70zNuJBk0Wjf6dyOHchlfjgQvbuz0r757egiFKBU5ETg+bxJ4EbkL5vsPaBfpwE3IiQZ3eZVcSW9xEY64a51su0XTz7IZcLfCM0wRpYLbC3dOvq2/FFQ6/GObH0BA/baNel0Q2s1yXnFo86wi+sJW6vAAajbJYmh6hHL3pSYAo97tWINbF22Im4TR33ulRQ6HW7r1aQ6wy5RRUKb+/jiZGsux8I3D1H5XqNuQbTli4JJZ07v62
      Source: 0.2.1FB6ncJ5XP.exe.9c0000.0.unpack, MainUI.csBase64 encoded string: 'z760SX4vNzTp1zAiGm7EOcvXQ73aAnmJcoBkHevETfGjClt0Ckps3dJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfEPGoZkY//0V+AKhOvN0DJJ7+S94mIXyNJIbEM8wXu9RRQqJWuC3FrHmsILWBQhCd0JYJL0oCou3HLeFY/tfODFsAHttkjELImcm4PmHokJ/IZkvJYAS7wdxxR0ucQ2rXb5PA07EW+iAT+S1Fd6XhRGtD0RCdSl79a3o5qDxiRLTt738SwYrI/RcoBkHevETfEG0n3G8swGVekOS8Rl2bCgKWo3nMpgGN0I4sCDlBwCLjorCvEXSA31aAMwo08+0DMkgFteO08gHG4MYvn8mmoPNoT7cY+1oiL5clkvONf/qOsVBGETKuh7G+433pb20twzPiYPROLajXJmfIX4xEeR8CIct+EdXwoNngFwframfaQxkcyxBDamcoBkHevETfFyf7SFhWRnkXJmfIX4xEeREE+RTZCOBIzyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRfGOc81PRz/5qNEpPUazHddJmfIX4xEeRe9RV/B9diXByf7SFhWRnkYUcfS9P3FIz7bK5mUerbdG7Kju1zpB3ND5rV3W+sCaCXThGcq7fYMlyf7SFhWRnkYY0kdWvfupPeJ8FT9ZEwwylYmLWPKPLUYkOS8Rl2bCgEG8rNLvRcMPyf7SFhWRnkXJmfIX4xEeRWyiXM+hWRdkSJsv101FHLpkiQ0YM4TrstaDNdUfGlr3JBu/VQbGaZXJmfIX4xEeRcoBkHevETfDod10WLPelYlJOP3kV1pCC0LJyQKdZTmAhmnvBiOft/3W21+QGcg+IcoBkHevETfD0rNOLNKuPa6XS3J0jDwm2coBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkSnFrmy+9MDdox6WpNhcaOWHf20UQbThqptAdBPW0F/L7v5cAKUkCEFyf7SFhWRnkX8Gp9uczezdcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfDAO3GzDZxmxgyNPniRLTVVrGWfkT9nVu6jdWaHudHyNVhHNX99X1Z1nnRh2vWUTbz60E/3VyfInum+oyJ6f31P8O933aYNPo3pE3O1BCcZANW4Jx0wb+Lxy1BFQvxQBbPSzBwTLcx43nhuBQ+ez2zzfGOc81PRz/4KlQx0Ey4oh27k3rHtDo4LSyQasRgalI6GB1s6oIn/7zyKYFnVw0EH5PTryEeskC+EqekSQGxNYF6SNYwiZT7DpKmB1ASFXECDd5rpY4Z9plBEIRjYgNQt8Z/5eDpQC6WThUpmNSfEbJ55Q/wMEpXKT/4bfh78OgFRYOnW2LNuuL5g4/u6GXH8EOvXDOtTnzArlmBxXPtn/jJXw2MqE5Cwh8yf8e0IGckJusbYzUvz5A2c4/ej2ulefAJWsFJytdWQbE+SNWhoSjvo18YOBhgpp84Ch50aBi9XGJALhMefqCxmD9JIVyGTwzF05GgrwEvGmYSEs3r3GNmTm3oKhw9A8cyrpxXOhXOkWWb8vvep1qCdNK8q4npkAq8XhHbA+1YjU3srpfNWiqkUpUH4+xj0vAXkSrkxCP/BRdMeMQ0ltf3tGf5skmWtv8ZNMFJKa4W9WSEIsHq7uOwB+ae9xDcfJH/dL+eHdcapI7V6ioIVQ8LMoQIPbPVwvsaI+UDbnoialb2QdCHR9u+trnwFcxA6S7fRluMjeprF+1txeU3n++Af3qfigy4LbfB4/YRl+EuIc8CfCrTlcrP0rskBklKHcs80cdH/SuzzLu9Krnr08hfdje1G8zQAbJkZD70zNuJBk0Wjf6dyOHchlfjgQvbuz0r757egiFKBU5ETg+bxJ4EbkL5vsPaBfpwE3IiQZ3eZVcSW9xEY64a51su0XTz7IZcLfCM0wRpYLbC3dOvq2/FFQ6/GObH0BA/baNel0Q2s1yXnFo86wi+sJW6vAAajbJYmh6hHL3pSYAo97tWINbF22Im4TR33ulRQ6HW7r1aQ6wy5RRUKb+/jiZGsux8I3D1H5XqNuQbTli4JJZ07v62
      Source: 7.2.1FB6ncJ5XP.exe.a40000.1.unpack, MainUI.csBase64 encoded string: 'z760SX4vNzTp1zAiGm7EOcvXQ73aAnmJcoBkHevETfGjClt0Ckps3dJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfEPGoZkY//0V+AKhOvN0DJJ7+S94mIXyNJIbEM8wXu9RRQqJWuC3FrHmsILWBQhCd0JYJL0oCou3HLeFY/tfODFsAHttkjELImcm4PmHokJ/IZkvJYAS7wdxxR0ucQ2rXb5PA07EW+iAT+S1Fd6XhRGtD0RCdSl79a3o5qDxiRLTt738SwYrI/RcoBkHevETfEG0n3G8swGVekOS8Rl2bCgKWo3nMpgGN0I4sCDlBwCLjorCvEXSA31aAMwo08+0DMkgFteO08gHG4MYvn8mmoPNoT7cY+1oiL5clkvONf/qOsVBGETKuh7G+433pb20twzPiYPROLajXJmfIX4xEeR8CIct+EdXwoNngFwframfaQxkcyxBDamcoBkHevETfFyf7SFhWRnkXJmfIX4xEeREE+RTZCOBIzyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRfGOc81PRz/5qNEpPUazHddJmfIX4xEeRe9RV/B9diXByf7SFhWRnkYUcfS9P3FIz7bK5mUerbdG7Kju1zpB3ND5rV3W+sCaCXThGcq7fYMlyf7SFhWRnkYY0kdWvfupPeJ8FT9ZEwwylYmLWPKPLUYkOS8Rl2bCgEG8rNLvRcMPyf7SFhWRnkXJmfIX4xEeRWyiXM+hWRdkSJsv101FHLpkiQ0YM4TrstaDNdUfGlr3JBu/VQbGaZXJmfIX4xEeRcoBkHevETfDod10WLPelYlJOP3kV1pCC0LJyQKdZTmAhmnvBiOft/3W21+QGcg+IcoBkHevETfD0rNOLNKuPa6XS3J0jDwm2coBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkSnFrmy+9MDdox6WpNhcaOWHf20UQbThqptAdBPW0F/L7v5cAKUkCEFyf7SFhWRnkX8Gp9uczezdcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfDAO3GzDZxmxgyNPniRLTVVrGWfkT9nVu6jdWaHudHyNVhHNX99X1Z1nnRh2vWUTbz60E/3VyfInum+oyJ6f31P8O933aYNPo3pE3O1BCcZANW4Jx0wb+Lxy1BFQvxQBbPSzBwTLcx43nhuBQ+ez2zzfGOc81PRz/4KlQx0Ey4oh27k3rHtDo4LSyQasRgalI6GB1s6oIn/7zyKYFnVw0EH5PTryEeskC+EqekSQGxNYF6SNYwiZT7DpKmB1ASFXECDd5rpY4Z9plBEIRjYgNQt8Z/5eDpQC6WThUpmNSfEbJ55Q/wMEpXKT/4bfh78OgFRYOnW2LNuuL5g4/u6GXH8EOvXDOtTnzArlmBxXPtn/jJXw2MqE5Cwh8yf8e0IGckJusbYzUvz5A2c4/ej2ulefAJWsFJytdWQbE+SNWhoSjvo18YOBhgpp84Ch50aBi9XGJALhMefqCxmD9JIVyGTwzF05GgrwEvGmYSEs3r3GNmTm3oKhw9A8cyrpxXOhXOkWWb8vvep1qCdNK8q4npkAq8XhHbA+1YjU3srpfNWiqkUpUH4+xj0vAXkSrkxCP/BRdMeMQ0ltf3tGf5skmWtv8ZNMFJKa4W9WSEIsHq7uOwB+ae9xDcfJH/dL+eHdcapI7V6ioIVQ8LMoQIPbPVwvsaI+UDbnoialb2QdCHR9u+trnwFcxA6S7fRluMjeprF+1txeU3n++Af3qfigy4LbfB4/YRl+EuIc8CfCrTlcrP0rskBklKHcs80cdH/SuzzLu9Krnr08hfdje1G8zQAbJkZD70zNuJBk0Wjf6dyOHchlfjgQvbuz0r757egiFKBU5ETg+bxJ4EbkL5vsPaBfpwE3IiQZ3eZVcSW9xEY64a51su0XTz7IZcLfCM0wRpYLbC3dOvq2/FFQ6/GObH0BA/baNel0Q2s1yXnFo86wi+sJW6vAAajbJYmh6hHL3pSYAo97tWINbF22Im4TR33ulRQ6HW7r1aQ6wy5RRUKb+/jiZGsux8I3D1H5XqNuQbTli4JJZ07v62
      Source: 7.0.1FB6ncJ5XP.exe.a40000.0.unpack, MainUI.csBase64 encoded string: 'z760SX4vNzTp1zAiGm7EOcvXQ73aAnmJcoBkHevETfGjClt0Ckps3dJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfEPGoZkY//0V+AKhOvN0DJJ7+S94mIXyNJIbEM8wXu9RRQqJWuC3FrHmsILWBQhCd0JYJL0oCou3HLeFY/tfODFsAHttkjELImcm4PmHokJ/IZkvJYAS7wdxxR0ucQ2rXb5PA07EW+iAT+S1Fd6XhRGtD0RCdSl79a3o5qDxiRLTt738SwYrI/RcoBkHevETfEG0n3G8swGVekOS8Rl2bCgKWo3nMpgGN0I4sCDlBwCLjorCvEXSA31aAMwo08+0DMkgFteO08gHG4MYvn8mmoPNoT7cY+1oiL5clkvONf/qOsVBGETKuh7G+433pb20twzPiYPROLajXJmfIX4xEeR8CIct+EdXwoNngFwframfaQxkcyxBDamcoBkHevETfFyf7SFhWRnkXJmfIX4xEeREE+RTZCOBIzyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRfGOc81PRz/5qNEpPUazHddJmfIX4xEeRe9RV/B9diXByf7SFhWRnkYUcfS9P3FIz7bK5mUerbdG7Kju1zpB3ND5rV3W+sCaCXThGcq7fYMlyf7SFhWRnkYY0kdWvfupPeJ8FT9ZEwwylYmLWPKPLUYkOS8Rl2bCgEG8rNLvRcMPyf7SFhWRnkXJmfIX4xEeRWyiXM+hWRdkSJsv101FHLpkiQ0YM4TrstaDNdUfGlr3JBu/VQbGaZXJmfIX4xEeRcoBkHevETfDod10WLPelYlJOP3kV1pCC0LJyQKdZTmAhmnvBiOft/3W21+QGcg+IcoBkHevETfD0rNOLNKuPa6XS3J0jDwm2coBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkSnFrmy+9MDdox6WpNhcaOWHf20UQbThqptAdBPW0F/L7v5cAKUkCEFyf7SFhWRnkX8Gp9uczezdcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfFyf7SFhWRnkXJmfIX4xEeRcoBkHevETfDAO3GzDZxmxgyNPniRLTVVrGWfkT9nVu6jdWaHudHyNVhHNX99X1Z1nnRh2vWUTbz60E/3VyfInum+oyJ6f31P8O933aYNPo3pE3O1BCcZANW4Jx0wb+Lxy1BFQvxQBbPSzBwTLcx43nhuBQ+ez2zzfGOc81PRz/4KlQx0Ey4oh27k3rHtDo4LSyQasRgalI6GB1s6oIn/7zyKYFnVw0EH5PTryEeskC+EqekSQGxNYF6SNYwiZT7DpKmB1ASFXECDd5rpY4Z9plBEIRjYgNQt8Z/5eDpQC6WThUpmNSfEbJ55Q/wMEpXKT/4bfh78OgFRYOnW2LNuuL5g4/u6GXH8EOvXDOtTnzArlmBxXPtn/jJXw2MqE5Cwh8yf8e0IGckJusbYzUvz5A2c4/ej2ulefAJWsFJytdWQbE+SNWhoSjvo18YOBhgpp84Ch50aBi9XGJALhMefqCxmD9JIVyGTwzF05GgrwEvGmYSEs3r3GNmTm3oKhw9A8cyrpxXOhXOkWWb8vvep1qCdNK8q4npkAq8XhHbA+1YjU3srpfNWiqkUpUH4+xj0vAXkSrkxCP/BRdMeMQ0ltf3tGf5skmWtv8ZNMFJKa4W9WSEIsHq7uOwB+ae9xDcfJH/dL+eHdcapI7V6ioIVQ8LMoQIPbPVwvsaI+UDbnoialb2QdCHR9u+trnwFcxA6S7fRluMjeprF+1txeU3n++Af3qfigy4LbfB4/YRl+EuIc8CfCrTlcrP0rskBklKHcs80cdH/SuzzLu9Krnr08hfdje1G8zQAbJkZD70zNuJBk0Wjf6dyOHchlfjgQvbuz0r757egiFKBU5ETg+bxJ4EbkL5vsPaBfpwE3IiQZ3eZVcSW9xEY64a51su0XTz7IZcLfCM0wRpYLbC3dOvq2/FFQ6/GObH0BA/baNel0Q2s1yXnFo86wi+sJW6vAAajbJYmh6hHL3pSYAo97tWINbF22Im4TR33ulRQ6HW7r1aQ6wy5RRUKb+/jiZGsux8I3D1H5XqNuQbTli4JJZ07v62
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeMutant created: \Sessions\1\BaseNamedObjects\jkYkqulLHC
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4008:120:WilError_01
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{a34ced25-fb8b-4570-a6e3-066f7f9be505}
      Source: 1FB6ncJ5XP.exeString found in binary or memory: MF0IPGE+p6yD2rytzZQzqCQRFRPccnYiLlMieltDTR4ROx71vg8y017n2HimrBDpJbhwnzfxqqJ+Z04f/y35/AdDff6uI3P185QBKqBZXQxxQSfGWXLKk/PKO4PFlGi2GzLFS9GdLG1qjGl7W4YrgWdRqNXRKnoVnGixN84qPlGdQsoLOGmedqwqYR4TNNDgIyw6YDWNvhvJR4veWHOXpJ6hfzVdXyf7SFhWRnkRvd2AM+U5AduEJfMOTCYVQJrUQ74q
      Source: 1FB6ncJ5XP.exeString found in binary or memory: MF0IPGE+p6yD2rytzZQzqCQRFRPccnYiLlMieltDTR4ROx71vg8y017n2HimrBDpJbhwnzfxqqJ+Z04f/y35/AdDff6uI3P185QBKqBZXQxxQSfGWXLKk/PKO4PFlGi2GzLFS9GdLG1qjGl7W4YrgWdRqNXRKnoVnGixN84qPlGdQsoLOGmedqwqYR4TNNDgIyw6YDWNvhvJR4veWHOXpJ6hfzVdXyf7SFhWRnkRvd2AM+U5AduEJfMOTCYVQJrUQ74q
      Source: 1FB6ncJ5XP.exe, MainUI.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: QLpzxrlNoQJN.exe.0.dr, MainUI.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 0.0.1FB6ncJ5XP.exe.9c0000.0.unpack, MainUI.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 0.2.1FB6ncJ5XP.exe.9c0000.0.unpack, MainUI.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 7.2.1FB6ncJ5XP.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 7.2.1FB6ncJ5XP.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 7.2.1FB6ncJ5XP.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
      Source: 1FB6ncJ5XP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: 1FB6ncJ5XP.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: 1FB6ncJ5XP.exe, MainUI.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: QLpzxrlNoQJN.exe.0.dr, MainUI.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 0.0.1FB6ncJ5XP.exe.9c0000.0.unpack, MainUI.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 0.2.1FB6ncJ5XP.exe.9c0000.0.unpack, MainUI.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 7.2.1FB6ncJ5XP.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 7.2.1FB6ncJ5XP.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 7.2.1FB6ncJ5XP.exe.a40000.1.unpack, MainUI.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 7.0.1FB6ncJ5XP.exe.a40000.0.unpack, MainUI.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeCode function: 0_2_009C5934 push es; retf
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeCode function: 7_2_00A457F3 push es; retf
      Source: initial sampleStatic PE information: section name: .text entropy: 7.39359374162
      Source: initial sampleStatic PE information: section name: .text entropy: 7.39359374162
      Source: 7.2.1FB6ncJ5XP.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 7.2.1FB6ncJ5XP.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeFile created: C:\Users\user\AppData\Roaming\QLpzxrlNoQJN.exeJump to dropped file

      Boot Survival:

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QLpzxrlNoQJN' /XML 'C:\Users\user\AppData\Local\Temp\tmpCE1C.tmp'

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeFile opened: C:\Users\user\Desktop\1FB6ncJ5XP.exe:Zone.Identifier read attributes | delete
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Yara detected AntiVM3Show sources
      Source: Yara matchFile source: 00000000.00000002.339237051.0000000002D51000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.339659740.0000000002E7E000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 1FB6ncJ5XP.exe PID: 6448, type: MEMORYSTR
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: 1FB6ncJ5XP.exe, 00000000.00000002.339237051.0000000002D51000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
      Source: 1FB6ncJ5XP.exe, 00000000.00000002.339237051.0000000002D51000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe TID: 4244Thread sleep time: -37107s >= -30000s
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe TID: 4540Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exe TID: 6132Thread sleep time: -12912720851596678s >= -30000s
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeWindow / User API: threadDelayed 3567
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeWindow / User API: threadDelayed 5797
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeWindow / User API: foregroundWindowGot 863
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess information queried: ProcessInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeThread delayed: delay time: 37107
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeThread delayed: delay time: 922337203685477
      Source: 1FB6ncJ5XP.exe, 00000000.00000002.339237051.0000000002D51000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
      Source: 1FB6ncJ5XP.exe, 00000000.00000002.339237051.0000000002D51000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: 1FB6ncJ5XP.exe, 00000000.00000002.339237051.0000000002D51000.00000004.00000001.sdmpBinary or memory string: vmware
      Source: 1FB6ncJ5XP.exe, 00000007.00000003.538555339.00000000010AE000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: 1FB6ncJ5XP.exe, 00000000.00000002.339237051.0000000002D51000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeMemory allocated: page read and write | page guard

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Injects a PE file into a foreign processesShow sources
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeMemory written: C:\Users\user\Desktop\1FB6ncJ5XP.exe base: 400000 value starts with: 4D5A
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QLpzxrlNoQJN' /XML 'C:\Users\user\AppData\Local\Temp\tmpCE1C.tmp'
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeProcess created: C:\Users\user\Desktop\1FB6ncJ5XP.exe C:\Users\user\Desktop\1FB6ncJ5XP.exe
      Source: 1FB6ncJ5XP.exe, 00000007.00000002.571921722.00000000032EC000.00000004.00000001.sdmpBinary or memory string: Program Manager
      Source: 1FB6ncJ5XP.exe, 00000007.00000002.568798463.00000000017D0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
      Source: 1FB6ncJ5XP.exe, 00000007.00000002.568798463.00000000017D0000.00000002.00020000.sdmpBinary or memory string: Progman
      Source: 1FB6ncJ5XP.exe, 00000007.00000002.573932946.00000000063DD000.00000004.00000001.sdmpBinary or memory string: Program Manager 4L
      Source: 1FB6ncJ5XP.exe, 00000007.00000002.573653225.000000000618C000.00000004.00000001.sdmpBinary or memory string: Program Managerp:
      Source: 1FB6ncJ5XP.exe, 00000007.00000002.569044222.0000000002D77000.00000004.00000001.sdmpBinary or memory string: Program ManagerX
      Source: 1FB6ncJ5XP.exe, 00000007.00000002.568798463.00000000017D0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Users\user\Desktop\1FB6ncJ5XP.exe VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Users\user\Desktop\1FB6ncJ5XP.exe VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\1FB6ncJ5XP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

      Stealing of Sensitive Information:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 7.2.1FB6ncJ5XP.exe.3d6ff64.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.1FB6ncJ5XP.exe.5784629.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.1FB6ncJ5XP.exe.3d6ff64.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.1FB6ncJ5XP.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.1FB6ncJ5XP.exe.5780000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.1FB6ncJ5XP.exe.3d7458d.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.1FB6ncJ5XP.exe.3dc6730.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.1FB6ncJ5XP.exe.5780000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.1FB6ncJ5XP.exe.3dc6730.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.1FB6ncJ5XP.exe.3d6b12e.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000007.00000002.573397352.0000000005780000.00000004.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.340496644.0000000003EE2000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.566743292.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.572012572.0000000003D69000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.340027547.0000000003D59000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 1FB6ncJ5XP.exe PID: 6448, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: 1FB6ncJ5XP.exe PID: 2832, type: MEMORYSTR

      Remote Access Functionality:

      barindex
      Detected Nanocore RatShow sources
      Source: 1FB6ncJ5XP.exe, 00000000.00000002.340027547.0000000003D59000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: 1FB6ncJ5XP.exe, 00000007.00000002.569044222.0000000002D77000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: 1FB6ncJ5XP.exe, 00000007.00000002.569044222.0000000002D77000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 7.2.1FB6ncJ5XP.exe.3d6ff64.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.1FB6ncJ5XP.exe.5784629.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.1FB6ncJ5XP.exe.3d6ff64.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.1FB6ncJ5XP.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.1FB6ncJ5XP.exe.5780000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.1FB6ncJ5XP.exe.3d7458d.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.1FB6ncJ5XP.exe.3dc6730.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.1FB6ncJ5XP.exe.5780000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.1FB6ncJ5XP.exe.3dc6730.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.1FB6ncJ5XP.exe.3d6b12e.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000007.00000002.573397352.0000000005780000.00000004.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.340496644.0000000003EE2000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.566743292.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.572012572.0000000003D69000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.340027547.0000000003D59000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 1FB6ncJ5XP.exe PID: 6448, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: 1FB6ncJ5XP.exe PID: 2832, type: MEMORYSTR

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsCommand and Scripting Interpreter2Scheduled Task/Job1Process Injection112Masquerading1Input Capture11Security Software Discovery21Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerVirtualization/Sandbox Evasion21SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol21Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information21DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      1FB6ncJ5XP.exe37%VirustotalBrowse
      1FB6ncJ5XP.exe42%ReversingLabsByteCode-MSIL.Trojan.DarkStealerLoader

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Roaming\QLpzxrlNoQJN.exe42%ReversingLabsByteCode-MSIL.Trojan.DarkStealerLoader

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      7.2.1FB6ncJ5XP.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      7.2.1FB6ncJ5XP.exe.5780000.8.unpack100%AviraTR/NanoCore.fadteDownload File

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      ella666.duckdns.org0%Avira URL Cloudsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      mikeljack321.ddns.net0%Avira URL Cloudsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      mikeljack321.ddns.net
      185.140.53.6
      truetrue
        unknown
        ella666.duckdns.org
        185.140.53.6
        truetrue
          unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          ella666.duckdns.orgtrue
          • Avira URL Cloud: safe
          unknown
          mikeljack321.ddns.nettrue
          • Avira URL Cloud: safe
          unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.apache.org/licenses/LICENSE-2.01FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpfalse
            high
            http://www.fontbureau.com1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpfalse
              high
              http://www.fontbureau.com/designersG1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpfalse
                high
                http://www.fontbureau.com/designers/?1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpfalse
                  high
                  http://www.founder.com.cn/cn/bThe1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.fontbureau.com/designers?1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpfalse
                    high
                    http://www.tiro.com1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://www.fontbureau.com/designers1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpfalse
                      high
                      http://www.goodfont.co.kr1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://www.carterandcone.coml1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://www.sajatypeworks.com1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://www.typography.netD1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://www.fontbureau.com/designers/cabarga.htmlN1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpfalse
                        high
                        http://www.founder.com.cn/cn/cThe1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.galapagosdesign.com/staff/dennis.htm1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://fontfabrik.com1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.founder.com.cn/cn1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.fontbureau.com/designers/frere-jones.html1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpfalse
                          high
                          http://www.jiyu-kobo.co.jp/1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://github.com/besentv1FB6ncJ5XP.exefalse
                            high
                            http://www.galapagosdesign.com/DPlease1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.fontbureau.com/designers81FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpfalse
                              high
                              http://www.fonts.com1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpfalse
                                high
                                http://www.sandoll.co.kr1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.urwpp.deDPlease1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.zhongyicts.com.cn1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name1FB6ncJ5XP.exe, 00000000.00000002.339237051.0000000002D51000.00000004.00000001.sdmp, 1FB6ncJ5XP.exe, 00000007.00000002.569044222.0000000002D77000.00000004.00000001.sdmpfalse
                                  high
                                  http://www.sakkal.com1FB6ncJ5XP.exe, 00000000.00000002.343581547.0000000006F22000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  unknown

                                  Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public

                                  IPDomainCountryFlagASNASN NameMalicious
                                  185.140.53.6
                                  mikeljack321.ddns.netSweden
                                  209623DAVID_CRAIGGGtrue

                                  Private

                                  IP
                                  192.168.2.1

                                  General Information

                                  Joe Sandbox Version:33.0.0 White Diamond
                                  Analysis ID:500301
                                  Start date:11.10.2021
                                  Start time:22:22:54
                                  Joe Sandbox Product:CloudBasic
                                  Overall analysis duration:0h 9m 32s
                                  Hypervisor based Inspection enabled:false
                                  Report type:light
                                  Sample file name:1FB6ncJ5XP.exe
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                  Number of analysed new started processes analysed:20
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • HDC enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Detection:MAL
                                  Classification:mal100.troj.evad.winEXE@6/5@21/2
                                  EGA Information:Failed
                                  HDC Information:Failed
                                  HCA Information:
                                  • Successful, ratio: 99%
                                  • Number of executed functions: 0
                                  • Number of non-executed functions: 0
                                  Cookbook Comments:
                                  • Adjust boot time
                                  • Enable AMSI
                                  • Found application associated with file extension: .exe
                                  Warnings:
                                  Show All
                                  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                  • TCP Packets have been reduced to 100
                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                  • Excluded IPs from analysis (whitelisted): 52.139.176.199, 2.20.178.24, 2.20.178.18, 20.54.110.249, 52.251.79.25, 40.112.88.60, 93.184.221.240, 20.199.120.182, 20.199.120.85, 95.100.216.89
                                  • Excluded domains from analysis (whitelisted): consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, wu.azureedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, iris-de-prod-azsc-eas.eastasia.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, wu-shim.trafficmanager.net, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, ris.api.iris.microsoft.com, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  22:24:10API Interceptor921x Sleep call for process: 1FB6ncJ5XP.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                  185.140.53.6d1IaoX0mpm.exeGet hashmaliciousBrowse
                                    ORDER LIST.xlsxGet hashmaliciousBrowse
                                      DeKjb2fKJT.exeGet hashmaliciousBrowse
                                        MT103 tek M#U00fc#U015fteri kredi aktarma kopyas#U0131,pdf.exeGet hashmaliciousBrowse
                                          DEKONT,pdf.exeGet hashmaliciousBrowse
                                            PO 001077 - CS#000310.xlsxGet hashmaliciousBrowse

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              ella666.duckdns.orgDeKjb2fKJT.exeGet hashmaliciousBrowse
                                              • 185.140.53.6
                                              6cg2ZIoAHQ.exeGet hashmaliciousBrowse
                                              • 79.134.225.10

                                              ASN

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              DAVID_CRAIGGGDHL_101121 recibo de la compra,pdf.exeGet hashmaliciousBrowse
                                              • 185.140.53.136
                                              noZPwMIh7e.exeGet hashmaliciousBrowse
                                              • 91.193.75.133
                                              Memorandum from the Saudi Embassy.pdf.exeGet hashmaliciousBrowse
                                              • 185.140.53.8
                                              RkPJvCnCuJ.exeGet hashmaliciousBrowse
                                              • 185.140.53.133
                                              AWB # 2617429350,pdf.exeGet hashmaliciousBrowse
                                              • 185.140.53.133
                                              DHL_100621 de documentos de la compra,pdf.exeGet hashmaliciousBrowse
                                              • 185.140.53.5
                                              DHL_119040 de documentos de la compra .pdf.exeGet hashmaliciousBrowse
                                              • 185.140.53.5
                                              Nouvelle commande 983765_2021,pdf.exeGet hashmaliciousBrowse
                                              • 185.244.30.19
                                              #U00d6DEME TAVS#U0130YES#U0130_PDF.exeGet hashmaliciousBrowse
                                              • 185.140.53.232
                                              TEKL_F VE F_YAT TEKL_F TALEB_PDF.exeGet hashmaliciousBrowse
                                              • 185.140.53.232
                                              Yeni Sipari_ #86-55113,pdf.exeGet hashmaliciousBrowse
                                              • 185.140.53.133
                                              OMNH11mXX2.exeGet hashmaliciousBrowse
                                              • 185.140.53.3
                                              FZJCUwvp0s.exeGet hashmaliciousBrowse
                                              • 185.140.53.3
                                              Naujas u#U017esakymas. 141.exeGet hashmaliciousBrowse
                                              • 91.193.75.173
                                              SWIFT.exeGet hashmaliciousBrowse
                                              • 185.244.30.252
                                              Mts#U007e00037363673893-09387633783876337.exeGet hashmaliciousBrowse
                                              • 185.140.53.9
                                              W3vIt7fcaD.exeGet hashmaliciousBrowse
                                              • 185.140.53.14
                                              J5K18S6C5V43.exeGet hashmaliciousBrowse
                                              • 185.140.53.3
                                              RFQAP65425652032421 urgentes,pdf.exeGet hashmaliciousBrowse
                                              • 185.244.30.19
                                              Scan0005936148.exeGet hashmaliciousBrowse
                                              • 185.244.30.68

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1FB6ncJ5XP.exe.log
                                              Process:C:\Users\user\Desktop\1FB6ncJ5XP.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:modified
                                              Size (bytes):1216
                                              Entropy (8bit):5.355304211458859
                                              Encrypted:false
                                              SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                              MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                              SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                              SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                              SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                              Malicious:true
                                              Reputation:high, very likely benign file
                                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                              C:\Users\user\AppData\Local\Temp\tmpCE1C.tmp
                                              Process:C:\Users\user\Desktop\1FB6ncJ5XP.exe
                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1645
                                              Entropy (8bit):5.199228582576025
                                              Encrypted:false
                                              SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBatn:cbh47TlNQ//rydbz9I3YODOLNdq3W
                                              MD5:F3CD74A20FE323A5FC1F90249DE26602
                                              SHA1:F802CF5462A0D068F577F3B31E6A5D3ED7D53CE7
                                              SHA-256:CA606E21DEFDB5A07862C1D48A4DE79699EFA24F466CEAACE13F1463329B14F7
                                              SHA-512:D69C54F4D5F7B3AE06157D1FB53855C632828F960D0C170B140E64FA9B473319CDD087C5F174DEF6A6E3EB7A93E2727FF72BA389DD3A49EBC77735845555052B
                                              Malicious:true
                                              Reputation:low
                                              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                              Process:C:\Users\user\Desktop\1FB6ncJ5XP.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):8
                                              Entropy (8bit):3.0
                                              Encrypted:false
                                              SSDEEP:3:ct:c
                                              MD5:407C6F1A0FAD16CAB6817B9EEA8F0868
                                              SHA1:861B00F6BC9BD070317ED8A146D379BED7A451F3
                                              SHA-256:03894C3F20DAA7ED0F45203344BF70510CFA7207B54B528EAE004C894D42419F
                                              SHA-512:3CB51C0E9C03AEE25BBAD42779A9DD1AC758920979FA9DF6FD91C90EA4C27D1ACDCB1E89C3694F6202A7176ACFFE9F05F61FE7C68D3D5F3B18C87EF282626905
                                              Malicious:true
                                              Reputation:low
                                              Preview: .v..@..H
                                              C:\Users\user\AppData\Roaming\QLpzxrlNoQJN.exe
                                              Process:C:\Users\user\Desktop\1FB6ncJ5XP.exe
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):622592
                                              Entropy (8bit):7.380179159495352
                                              Encrypted:false
                                              SSDEEP:12288:O7hv6UDSuTG2T9BGQ7KhQ5w8vdw3e1FH6pBhc7UfGxmn0:iiUmuTG2JahQ5bw3eaVc7xIn
                                              MD5:E90D3150B729F9E9F8271ED964DA0D14
                                              SHA1:08F865E0F25CA9F7E19F04E8D437214F924C3BB8
                                              SHA-256:B96AE4AAB134C7612BD21311EE76A7B0B0DC14AF7B2E10713564E50FC739967E
                                              SHA-512:E60900A239117FF9959F3BED2E889814527A814FB1D00041E09C9E589FE017CF9F0F43CD54A75F5CEBBBBF384EC4F0001CC94F10999A9BFCD43269D67FDBA631
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 42%
                                              Reputation:low
                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ca..............0..t..........~.... ........@.. ....................................@.................................,...O.......T............................................................................ ............... ..H............text....s... ...t.................. ..`.rsrc...T............v..............@..@.reloc...............~..............@..B................`.......H........T..........z..../..@c..........................................^..}.....(.......(.....*.0..+.........,..{.......+....,...{....o........(.....*..0..2.............(....s......s....}.....s....}.....s....}.....s....}.....(......{.....o......{....r...p"...A...s....o .....{........s!...o".....{....r+..po#.....{.....8..s$...o%.....{.....o&.....{....r9..po'.....{.....o......{....r...p"...A...s....o .....{........s!...o".....{....rK..po#.....{.... ......s$...o%.....{.....o&..
                                              C:\Users\user\AppData\Roaming\QLpzxrlNoQJN.exe:Zone.Identifier
                                              Process:C:\Users\user\Desktop\1FB6ncJ5XP.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):26
                                              Entropy (8bit):3.95006375643621
                                              Encrypted:false
                                              SSDEEP:3:ggPYV:rPYV
                                              MD5:187F488E27DB4AF347237FE461A079AD
                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                              Malicious:false
                                              Reputation:high, very likely benign file
                                              Preview: [ZoneTransfer]....ZoneId=0

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):7.380179159495352
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                              • Windows Screen Saver (13104/52) 0.07%
                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                              File name:1FB6ncJ5XP.exe
                                              File size:622592
                                              MD5:e90d3150b729f9e9f8271ed964da0d14
                                              SHA1:08f865e0f25ca9f7e19f04e8d437214f924c3bb8
                                              SHA256:b96ae4aab134c7612bd21311ee76a7b0b0dc14af7b2e10713564e50fc739967e
                                              SHA512:e60900a239117ff9959f3bed2e889814527a814fb1d00041e09c9e589fe017cf9f0f43cd54a75f5cebbbbf384ec4f0001cc94f10999a9bfcd43269d67fdba631
                                              SSDEEP:12288:O7hv6UDSuTG2T9BGQ7KhQ5w8vdw3e1FH6pBhc7UfGxmn0:iiUmuTG2JahQ5bw3eaVc7xIn
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ca..............0..t..........~.... ........@.. ....................................@................................

                                              File Icon

                                              Icon Hash:00828e8e8686b000

                                              Static PE Info

                                              General

                                              Entrypoint:0x49937e
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                              Time Stamp:0x6163E5E2 [Mon Oct 11 07:21:06 2021 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:v4.0.30319
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                              Entrypoint Preview

                                              Instruction
                                              jmp dword ptr [00402000h]
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x9932c0x4f.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x9a0000x654.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x9c0000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000x973840x97400False0.76508910124data7.39359374162IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                              .rsrc0x9a0000x6540x800False0.3349609375data3.52727036159IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0x9c0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountry
                                              RT_VERSION0x9a0900x3c4data
                                              RT_MANIFEST0x9a4640x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                              Imports

                                              DLLImport
                                              mscoree.dll_CorExeMain

                                              Version Infos

                                              DescriptionData
                                              Translation0x0000 0x04b0
                                              LegalCopyrightCopyright 2017
                                              Assembly Version1.0.0.0
                                              InternalNameReadOnlyDictionaryValueCollecti.exe
                                              FileVersion1.0.0.0
                                              CompanyName
                                              LegalTrademarks
                                              Comments
                                              ProductNameReminder_WindowBorderRemover
                                              ProductVersion1.0.0.0
                                              FileDescriptionReminder_WindowBorderRemover
                                              OriginalFilenameReadOnlyDictionaryValueCollecti.exe

                                              Network Behavior

                                              Snort IDS Alerts

                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                              10/11/21-22:24:18.095895UDP254DNS SPOOF query response with TTL of 1 min. and no authority53528068.8.8.8192.168.2.3
                                              10/11/21-22:24:23.876499UDP254DNS SPOOF query response with TTL of 1 min. and no authority53640218.8.8.8192.168.2.3
                                              10/11/21-22:24:29.226553UDP254DNS SPOOF query response with TTL of 1 min. and no authority53495728.8.8.8192.168.2.3
                                              10/11/21-22:24:34.714834UDP254DNS SPOOF query response with TTL of 1 min. and no authority53495598.8.8.8192.168.2.3
                                              10/11/21-22:24:40.104285UDP254DNS SPOOF query response with TTL of 1 min. and no authority53632978.8.8.8192.168.2.3
                                              10/11/21-22:24:45.272642UDP254DNS SPOOF query response with TTL of 1 min. and no authority53507288.8.8.8192.168.2.3
                                              10/11/21-22:24:50.980931UDP254DNS SPOOF query response with TTL of 1 min. and no authority53537778.8.8.8192.168.2.3
                                              10/11/21-22:24:56.492230UDP254DNS SPOOF query response with TTL of 1 min. and no authority53603528.8.8.8192.168.2.3
                                              10/11/21-22:25:12.191345UDP254DNS SPOOF query response with TTL of 1 min. and no authority53643678.8.8.8192.168.2.3
                                              10/11/21-22:25:22.606841UDP254DNS SPOOF query response with TTL of 1 min. and no authority53553938.8.8.8192.168.2.3
                                              10/11/21-22:25:33.092754UDP254DNS SPOOF query response with TTL of 1 min. and no authority53585408.8.8.8192.168.2.3
                                              10/11/21-22:25:38.249210UDP254DNS SPOOF query response with TTL of 1 min. and no authority53551088.8.8.8192.168.2.3
                                              10/11/21-22:25:43.411922UDP254DNS SPOOF query response with TTL of 1 min. and no authority53644328.8.8.8192.168.2.3
                                              10/11/21-22:25:48.709933UDP254DNS SPOOF query response with TTL of 1 min. and no authority53492508.8.8.8192.168.2.3
                                              10/11/21-22:25:55.885208UDP254DNS SPOOF query response with TTL of 1 min. and no authority53634908.8.8.8192.168.2.3

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Oct 11, 2021 22:24:18.109442949 CEST4975431829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:24:18.132384062 CEST3182949754185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:24:18.726923943 CEST4975431829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:24:18.750072002 CEST3182949754185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:24:19.430008888 CEST4975431829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:24:19.453057051 CEST3182949754185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:24:23.945653915 CEST4976031829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:24:23.969046116 CEST3182949760185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:24:24.476792097 CEST4976031829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:24:24.500328064 CEST3182949760185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:24:25.008122921 CEST4976031829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:24:25.031382084 CEST3182949760185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:24:29.227946997 CEST4976631829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:24:29.251220942 CEST3182949766185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:24:29.930358887 CEST4976631829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:24:29.953210115 CEST3182949766185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:24:30.618086100 CEST4976631829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:24:30.641083002 CEST3182949766185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:24:34.734694958 CEST4977231829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:24:34.759244919 CEST3182949772185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:24:35.258949995 CEST4977231829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:24:35.282156944 CEST3182949772185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:24:35.868508101 CEST4977231829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:24:35.891722918 CEST3182949772185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:24:40.106343031 CEST4978331829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:24:40.134058952 CEST3182949783185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:24:40.650099993 CEST4978331829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:24:40.673233032 CEST3182949783185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:24:41.181328058 CEST4978331829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:24:41.204372883 CEST3182949783185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:24:45.274373055 CEST4980931829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:24:45.297611952 CEST3182949809185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:24:45.806749105 CEST4980931829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:24:45.829842091 CEST3182949809185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:24:46.338087082 CEST4980931829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:24:46.360940933 CEST3182949809185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:24:50.982249975 CEST4981331829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:24:51.004960060 CEST3182949813185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:24:51.604154110 CEST4981331829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:24:51.628364086 CEST3182949813185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:24:52.307292938 CEST4981331829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:24:52.330096006 CEST3182949813185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:24:56.493689060 CEST4981531829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:24:56.516875029 CEST3182949815185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:24:57.026534081 CEST4981531829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:24:57.049992085 CEST3182949815185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:24:57.557795048 CEST4981531829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:24:57.583390951 CEST3182949815185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:25:01.864880085 CEST4981631829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:25:01.887867928 CEST3182949816185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:25:02.406058073 CEST4981631829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:25:02.429120064 CEST3182949816185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:25:02.933310032 CEST4981631829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:25:02.956329107 CEST3182949816185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:25:07.024261951 CEST4981831829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:25:07.047312975 CEST3182949818185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:25:07.558742046 CEST4981831829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:25:07.581775904 CEST3182949818185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:25:08.093525887 CEST4981831829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:25:08.117657900 CEST3182949818185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:25:12.193054914 CEST4981931829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:25:12.216276884 CEST3182949819185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:25:12.731220961 CEST4981931829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:25:12.754436970 CEST3182949819185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:25:13.262505054 CEST4981931829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:25:13.286047935 CEST3182949819185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:25:17.346590042 CEST4982031829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:25:17.369695902 CEST3182949820185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:25:17.872184038 CEST4982031829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:25:17.896374941 CEST3182949820185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:25:18.404294014 CEST4982031829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:25:18.438730955 CEST3182949820185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:25:22.610183001 CEST4982131829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:25:22.633527040 CEST3182949821185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:25:23.138151884 CEST4982131829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:25:23.160849094 CEST3182949821185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:25:23.669342995 CEST4982131829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:25:23.692219019 CEST3182949821185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:25:27.762537956 CEST4982331829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:25:27.785161018 CEST3182949823185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:25:28.294878960 CEST4982331829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:25:28.319272041 CEST3182949823185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:25:28.826015949 CEST4982331829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:25:28.848717928 CEST3182949823185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:25:33.094907045 CEST4982431829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:25:33.119893074 CEST3182949824185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:25:33.623317003 CEST4982431829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:25:33.646220922 CEST3182949824185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:25:34.154674053 CEST4982431829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:25:34.177511930 CEST3182949824185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:25:38.251130104 CEST4982531829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:25:38.273798943 CEST3182949825185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:25:38.780015945 CEST4982531829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:25:38.802719116 CEST3182949825185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:25:39.311321974 CEST4982531829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:25:39.334150076 CEST3182949825185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:25:43.414850950 CEST4983031829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:25:43.437627077 CEST3182949830185.140.53.6192.168.2.3
                                              Oct 11, 2021 22:25:43.952534914 CEST4983031829192.168.2.3185.140.53.6
                                              Oct 11, 2021 22:25:43.975502968 CEST3182949830185.140.53.6192.168.2.3

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Oct 11, 2021 22:24:17.984097004 CEST5280653192.168.2.38.8.8.8
                                              Oct 11, 2021 22:24:18.095895052 CEST53528068.8.8.8192.168.2.3
                                              Oct 11, 2021 22:24:23.762837887 CEST6402153192.168.2.38.8.8.8
                                              Oct 11, 2021 22:24:23.876498938 CEST53640218.8.8.8192.168.2.3
                                              Oct 11, 2021 22:24:29.112129927 CEST4957253192.168.2.38.8.8.8
                                              Oct 11, 2021 22:24:29.226552963 CEST53495728.8.8.8192.168.2.3
                                              Oct 11, 2021 22:24:34.694262981 CEST4955953192.168.2.38.8.8.8
                                              Oct 11, 2021 22:24:34.714833975 CEST53495598.8.8.8192.168.2.3
                                              Oct 11, 2021 22:24:40.084264994 CEST6329753192.168.2.38.8.8.8
                                              Oct 11, 2021 22:24:40.104285002 CEST53632978.8.8.8192.168.2.3
                                              Oct 11, 2021 22:24:45.252636909 CEST5072853192.168.2.38.8.8.8
                                              Oct 11, 2021 22:24:45.272641897 CEST53507288.8.8.8192.168.2.3
                                              Oct 11, 2021 22:24:50.867288113 CEST5377753192.168.2.38.8.8.8
                                              Oct 11, 2021 22:24:50.980931044 CEST53537778.8.8.8192.168.2.3
                                              Oct 11, 2021 22:24:56.376194000 CEST6035253192.168.2.38.8.8.8
                                              Oct 11, 2021 22:24:56.492229939 CEST53603528.8.8.8192.168.2.3
                                              Oct 11, 2021 22:25:01.844786882 CEST5677353192.168.2.38.8.8.8
                                              Oct 11, 2021 22:25:01.862924099 CEST53567738.8.8.8192.168.2.3
                                              Oct 11, 2021 22:25:07.003144979 CEST5805853192.168.2.38.8.8.8
                                              Oct 11, 2021 22:25:07.021365881 CEST53580588.8.8.8192.168.2.3
                                              Oct 11, 2021 22:25:12.170744896 CEST6436753192.168.2.38.8.8.8
                                              Oct 11, 2021 22:25:12.191344976 CEST53643678.8.8.8192.168.2.3
                                              Oct 11, 2021 22:25:17.326965094 CEST5153953192.168.2.38.8.8.8
                                              Oct 11, 2021 22:25:17.345349073 CEST53515398.8.8.8192.168.2.3
                                              Oct 11, 2021 22:25:22.491801977 CEST5539353192.168.2.38.8.8.8
                                              Oct 11, 2021 22:25:22.606841087 CEST53553938.8.8.8192.168.2.3
                                              Oct 11, 2021 22:25:27.745096922 CEST6345653192.168.2.38.8.8.8
                                              Oct 11, 2021 22:25:27.761207104 CEST53634568.8.8.8192.168.2.3
                                              Oct 11, 2021 22:25:32.977087975 CEST5854053192.168.2.38.8.8.8
                                              Oct 11, 2021 22:25:33.092753887 CEST53585408.8.8.8192.168.2.3
                                              Oct 11, 2021 22:25:38.228058100 CEST5510853192.168.2.38.8.8.8
                                              Oct 11, 2021 22:25:38.249209881 CEST53551088.8.8.8192.168.2.3
                                              Oct 11, 2021 22:25:43.392096043 CEST6443253192.168.2.38.8.8.8
                                              Oct 11, 2021 22:25:43.411921978 CEST53644328.8.8.8192.168.2.3
                                              Oct 11, 2021 22:25:48.689290047 CEST4925053192.168.2.38.8.8.8
                                              Oct 11, 2021 22:25:48.709933043 CEST53492508.8.8.8192.168.2.3
                                              Oct 11, 2021 22:25:55.771222115 CEST6349053192.168.2.38.8.8.8
                                              Oct 11, 2021 22:25:55.885207891 CEST53634908.8.8.8192.168.2.3
                                              Oct 11, 2021 22:26:01.238878012 CEST6112053192.168.2.38.8.8.8
                                              Oct 11, 2021 22:26:01.257261992 CEST53611208.8.8.8192.168.2.3
                                              Oct 11, 2021 22:26:06.354088068 CEST5307953192.168.2.38.8.8.8
                                              Oct 11, 2021 22:26:06.372297049 CEST53530798.8.8.8192.168.2.3

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                              Oct 11, 2021 22:24:17.984097004 CEST192.168.2.38.8.8.80x8497Standard query (0)ella666.duckdns.orgA (IP address)IN (0x0001)
                                              Oct 11, 2021 22:24:23.762837887 CEST192.168.2.38.8.8.80x8a71Standard query (0)ella666.duckdns.orgA (IP address)IN (0x0001)
                                              Oct 11, 2021 22:24:29.112129927 CEST192.168.2.38.8.8.80xc4bfStandard query (0)ella666.duckdns.orgA (IP address)IN (0x0001)
                                              Oct 11, 2021 22:24:34.694262981 CEST192.168.2.38.8.8.80xb4fStandard query (0)mikeljack321.ddns.netA (IP address)IN (0x0001)
                                              Oct 11, 2021 22:24:40.084264994 CEST192.168.2.38.8.8.80xe2deStandard query (0)mikeljack321.ddns.netA (IP address)IN (0x0001)
                                              Oct 11, 2021 22:24:45.252636909 CEST192.168.2.38.8.8.80x51dcStandard query (0)mikeljack321.ddns.netA (IP address)IN (0x0001)
                                              Oct 11, 2021 22:24:50.867288113 CEST192.168.2.38.8.8.80x27b8Standard query (0)ella666.duckdns.orgA (IP address)IN (0x0001)
                                              Oct 11, 2021 22:24:56.376194000 CEST192.168.2.38.8.8.80xaa0dStandard query (0)ella666.duckdns.orgA (IP address)IN (0x0001)
                                              Oct 11, 2021 22:25:01.844786882 CEST192.168.2.38.8.8.80x30f9Standard query (0)ella666.duckdns.orgA (IP address)IN (0x0001)
                                              Oct 11, 2021 22:25:07.003144979 CEST192.168.2.38.8.8.80x1814Standard query (0)mikeljack321.ddns.netA (IP address)IN (0x0001)
                                              Oct 11, 2021 22:25:12.170744896 CEST192.168.2.38.8.8.80x4722Standard query (0)mikeljack321.ddns.netA (IP address)IN (0x0001)
                                              Oct 11, 2021 22:25:17.326965094 CEST192.168.2.38.8.8.80x431cStandard query (0)mikeljack321.ddns.netA (IP address)IN (0x0001)
                                              Oct 11, 2021 22:25:22.491801977 CEST192.168.2.38.8.8.80x3064Standard query (0)ella666.duckdns.orgA (IP address)IN (0x0001)
                                              Oct 11, 2021 22:25:27.745096922 CEST192.168.2.38.8.8.80xa45fStandard query (0)ella666.duckdns.orgA (IP address)IN (0x0001)
                                              Oct 11, 2021 22:25:32.977087975 CEST192.168.2.38.8.8.80x9656Standard query (0)ella666.duckdns.orgA (IP address)IN (0x0001)
                                              Oct 11, 2021 22:25:38.228058100 CEST192.168.2.38.8.8.80x7baeStandard query (0)mikeljack321.ddns.netA (IP address)IN (0x0001)
                                              Oct 11, 2021 22:25:43.392096043 CEST192.168.2.38.8.8.80x2c60Standard query (0)mikeljack321.ddns.netA (IP address)IN (0x0001)
                                              Oct 11, 2021 22:25:48.689290047 CEST192.168.2.38.8.8.80x32bfStandard query (0)mikeljack321.ddns.netA (IP address)IN (0x0001)
                                              Oct 11, 2021 22:25:55.771222115 CEST192.168.2.38.8.8.80x6bc4Standard query (0)ella666.duckdns.orgA (IP address)IN (0x0001)
                                              Oct 11, 2021 22:26:01.238878012 CEST192.168.2.38.8.8.80x3609Standard query (0)ella666.duckdns.orgA (IP address)IN (0x0001)
                                              Oct 11, 2021 22:26:06.354088068 CEST192.168.2.38.8.8.80x6ce0Standard query (0)ella666.duckdns.orgA (IP address)IN (0x0001)

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                              Oct 11, 2021 22:24:18.095895052 CEST8.8.8.8192.168.2.30x8497No error (0)ella666.duckdns.org185.140.53.6A (IP address)IN (0x0001)
                                              Oct 11, 2021 22:24:23.876498938 CEST8.8.8.8192.168.2.30x8a71No error (0)ella666.duckdns.org185.140.53.6A (IP address)IN (0x0001)
                                              Oct 11, 2021 22:24:29.226552963 CEST8.8.8.8192.168.2.30xc4bfNo error (0)ella666.duckdns.org185.140.53.6A (IP address)IN (0x0001)
                                              Oct 11, 2021 22:24:34.714833975 CEST8.8.8.8192.168.2.30xb4fNo error (0)mikeljack321.ddns.net185.140.53.6A (IP address)IN (0x0001)
                                              Oct 11, 2021 22:24:40.104285002 CEST8.8.8.8192.168.2.30xe2deNo error (0)mikeljack321.ddns.net185.140.53.6A (IP address)IN (0x0001)
                                              Oct 11, 2021 22:24:45.272641897 CEST8.8.8.8192.168.2.30x51dcNo error (0)mikeljack321.ddns.net185.140.53.6A (IP address)IN (0x0001)
                                              Oct 11, 2021 22:24:50.980931044 CEST8.8.8.8192.168.2.30x27b8No error (0)ella666.duckdns.org185.140.53.6A (IP address)IN (0x0001)
                                              Oct 11, 2021 22:24:56.492229939 CEST8.8.8.8192.168.2.30xaa0dNo error (0)ella666.duckdns.org185.140.53.6A (IP address)IN (0x0001)
                                              Oct 11, 2021 22:25:01.862924099 CEST8.8.8.8192.168.2.30x30f9No error (0)ella666.duckdns.org185.140.53.6A (IP address)IN (0x0001)
                                              Oct 11, 2021 22:25:07.021365881 CEST8.8.8.8192.168.2.30x1814No error (0)mikeljack321.ddns.net185.140.53.6A (IP address)IN (0x0001)
                                              Oct 11, 2021 22:25:12.191344976 CEST8.8.8.8192.168.2.30x4722No error (0)mikeljack321.ddns.net185.140.53.6A (IP address)IN (0x0001)
                                              Oct 11, 2021 22:25:17.345349073 CEST8.8.8.8192.168.2.30x431cNo error (0)mikeljack321.ddns.net185.140.53.6A (IP address)IN (0x0001)
                                              Oct 11, 2021 22:25:22.606841087 CEST8.8.8.8192.168.2.30x3064No error (0)ella666.duckdns.org185.140.53.6A (IP address)IN (0x0001)
                                              Oct 11, 2021 22:25:27.761207104 CEST8.8.8.8192.168.2.30xa45fNo error (0)ella666.duckdns.org185.140.53.6A (IP address)IN (0x0001)
                                              Oct 11, 2021 22:25:33.092753887 CEST8.8.8.8192.168.2.30x9656No error (0)ella666.duckdns.org185.140.53.6A (IP address)IN (0x0001)
                                              Oct 11, 2021 22:25:38.249209881 CEST8.8.8.8192.168.2.30x7baeNo error (0)mikeljack321.ddns.net185.140.53.6A (IP address)IN (0x0001)
                                              Oct 11, 2021 22:25:43.411921978 CEST8.8.8.8192.168.2.30x2c60No error (0)mikeljack321.ddns.net185.140.53.6A (IP address)IN (0x0001)
                                              Oct 11, 2021 22:25:48.709933043 CEST8.8.8.8192.168.2.30x32bfNo error (0)mikeljack321.ddns.net185.140.53.6A (IP address)IN (0x0001)
                                              Oct 11, 2021 22:25:55.885207891 CEST8.8.8.8192.168.2.30x6bc4No error (0)ella666.duckdns.org185.140.53.6A (IP address)IN (0x0001)
                                              Oct 11, 2021 22:26:01.257261992 CEST8.8.8.8192.168.2.30x3609No error (0)ella666.duckdns.org185.140.53.6A (IP address)IN (0x0001)
                                              Oct 11, 2021 22:26:06.372297049 CEST8.8.8.8192.168.2.30x6ce0No error (0)ella666.duckdns.org185.140.53.6A (IP address)IN (0x0001)

                                              Code Manipulations

                                              Statistics

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Start time:22:23:56
                                              Start date:11/10/2021
                                              Path:C:\Users\user\Desktop\1FB6ncJ5XP.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Users\user\Desktop\1FB6ncJ5XP.exe'
                                              Imagebase:0x9c0000
                                              File size:622592 bytes
                                              MD5 hash:E90D3150B729F9E9F8271ED964DA0D14
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.339237051.0000000002D51000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.340496644.0000000003EE2000.00000004.00000001.sdmp, Author: Florian Roth
                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.340496644.0000000003EE2000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.340496644.0000000003EE2000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.339659740.0000000002E7E000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.340027547.0000000003D59000.00000004.00000001.sdmp, Author: Florian Roth
                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.340027547.0000000003D59000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.340027547.0000000003D59000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                              Reputation:low

                                              General

                                              Start time:22:24:11
                                              Start date:11/10/2021
                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QLpzxrlNoQJN' /XML 'C:\Users\user\AppData\Local\Temp\tmpCE1C.tmp'
                                              Imagebase:0x60000
                                              File size:185856 bytes
                                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Start time:22:24:12
                                              Start date:11/10/2021
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7f20f0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Start time:22:24:12
                                              Start date:11/10/2021
                                              Path:C:\Users\user\Desktop\1FB6ncJ5XP.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\Desktop\1FB6ncJ5XP.exe
                                              Imagebase:0xa40000
                                              File size:622592 bytes
                                              MD5 hash:E90D3150B729F9E9F8271ED964DA0D14
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.573289700.0000000005640000.00000004.00020000.sdmp, Author: Florian Roth
                                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.573289700.0000000005640000.00000004.00020000.sdmp, Author: Florian Roth
                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.573397352.0000000005780000.00000004.00020000.sdmp, Author: Florian Roth
                                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.573397352.0000000005780000.00000004.00020000.sdmp, Author: Florian Roth
                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.573397352.0000000005780000.00000004.00020000.sdmp, Author: Joe Security
                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.566743292.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.566743292.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: NanoCore, Description: unknown, Source: 00000007.00000002.566743292.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.572012572.0000000003D69000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: NanoCore, Description: unknown, Source: 00000007.00000002.572012572.0000000003D69000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                              Reputation:low

                                              Disassembly

                                              Code Analysis

                                              Reset < >