Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
vsQkhWCXxv.exe

Overview

General Information

Sample Name:vsQkhWCXxv.exe
Analysis ID:625006
MD5:ff76da5616699735c9f7c70ba9e66909
SHA1:9b0c1bf91bfd6e8e0a1d68f5d0da2f8addad231d
SHA256:ec04ec5840bcab1b86ec8e2a9d5d8fcbbc687a6235df0bc416e3cb6b149faf97
Tags:exeNanoCoreRAT
Infos:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • vsQkhWCXxv.exe (PID: 3472 cmdline: "C:\Users\user\Desktop\vsQkhWCXxv.exe" MD5: FF76DA5616699735C9F7C70BA9E66909)
    • powershell.exe (PID: 1300 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vyJCJmhRnRK.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6280 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vyJCJmhRnRK" /XML "C:\Users\user\AppData\Local\Temp\tmp5508.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • vsQkhWCXxv.exe (PID: 6340 cmdline: C:\Users\user\Desktop\vsQkhWCXxv.exe MD5: FF76DA5616699735C9F7C70BA9E66909)
  • cleanup
{"Version": "1.2.2.0", "Mutex": "ac8dc510-d280-4bfd-8a77-cea13b6d", "Group": "2ND MARCH", "Domain1": "ella666.duckdns.org", "Domain2": "mikeljack321.ddns.net", "Port": 31788, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "ella666.duckdns.org"}
SourceRuleDescriptionAuthorStrings
00000000.00000002.346722851.0000000005340000.00000004.08000000.00040000.00000000.sdmpINDICATOR_EXE_Packed_DotNetReactorDetects executables packed with unregistered version of .NET ReactorditekSHen
  • 0xd071:$s2: is protected by an unregistered version of .NET Reactor!" );</script>
00000011.00000002.517843994.0000000000402000.00000040.00000400.00020000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000011.00000002.517843994.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000011.00000002.517843994.0000000000402000.00000040.00000400.00020000.00000000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000011.00000000.334851227.0000000000402000.00000040.00000400.00020000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Click to see the 35 entries
    SourceRuleDescriptionAuthorStrings
    17.2.vsQkhWCXxv.exe.5460000.6.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    17.2.vsQkhWCXxv.exe.5460000.6.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    17.2.vsQkhWCXxv.exe.5460000.6.raw.unpackMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
    • 0xe38:$x2: NanoCore.ClientPlugin
    • 0xe75:$x3: NanoCore.ClientPluginHost
    • 0xe5a:$i1: IClientApp
    • 0xe4e:$i2: IClientData
    • 0xe29:$i3: IClientNetwork
    • 0xec3:$i4: IClientAppHost
    • 0xe65:$i5: IClientDataHost
    • 0xeb0:$i6: IClientLoggingHost
    • 0xe8f:$i7: IClientNetworkHost
    • 0xea2:$i8: IClientUIHost
    • 0xed2:$i9: IClientNameObjectCollection
    • 0xef7:$i10: IClientReadOnlyNameObjectCollection
    • 0xe41:$s1: ClientPlugin
    • 0x177c:$s1: ClientPlugin
    • 0x1789:$s1: ClientPlugin
    • 0x11f9:$s6: get_ClientSettings
    • 0x1249:$s7: get_Connected
    17.0.vsQkhWCXxv.exe.400000.8.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    17.0.vsQkhWCXxv.exe.400000.8.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xff05:$x1: NanoCore Client.exe
    • 0x1018d:$x2: NanoCore.ClientPluginHost
    • 0x117c6:$s1: PluginCommand
    • 0x117ba:$s2: FileCommand
    • 0x1266b:$s3: PipeExists
    • 0x18422:$s4: PipeCreated
    • 0x101b7:$s5: IClientLoggingHost
    Click to see the 74 entries

    AV Detection

    barindex
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\vsQkhWCXxv.exe, ProcessId: 6340, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    E-Banking Fraud

    barindex
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\vsQkhWCXxv.exe, ProcessId: 6340, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Stealing of Sensitive Information

    barindex
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\vsQkhWCXxv.exe, ProcessId: 6340, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Remote Access Functionality

    barindex
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\vsQkhWCXxv.exe, ProcessId: 6340, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
    No Snort rule has matched

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: 00000011.00000002.524933429.0000000003BD9000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "ac8dc510-d280-4bfd-8a77-cea13b6d", "Group": "2ND MARCH", "Domain1": "ella666.duckdns.org", "Domain2": "mikeljack321.ddns.net", "Port": 31788, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "ella666.duckdns.org"}
    Source: vsQkhWCXxv.exeVirustotal: Detection: 50%Perma Link
    Source: vsQkhWCXxv.exeMetadefender: Detection: 31%Perma Link
    Source: vsQkhWCXxv.exeReversingLabs: Detection: 60%
    Source: vsQkhWCXxv.exeAvira: detected
    Source: ella666.duckdns.orgAvira URL Cloud: Label: malware
    Source: mikeljack321.ddns.netVirustotal: Detection: 6%Perma Link
    Source: ella666.duckdns.orgVirustotal: Detection: 11%Perma Link
    Source: C:\Users\user\AppData\Roaming\vyJCJmhRnRK.exeAvira: detection malicious, Label: TR/AD.BDSNanoCoreClient.wibth
    Source: C:\Users\user\AppData\Roaming\vyJCJmhRnRK.exeMetadefender: Detection: 31%Perma Link
    Source: C:\Users\user\AppData\Roaming\vyJCJmhRnRK.exeReversingLabs: Detection: 60%
    Source: Yara matchFile source: 17.0.vsQkhWCXxv.exe.400000.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.2.vsQkhWCXxv.exe.5e04629.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.2.vsQkhWCXxv.exe.5e00000.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.2.vsQkhWCXxv.exe.3c1ff7c.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.0.vsQkhWCXxv.exe.400000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.2.vsQkhWCXxv.exe.3c245a5.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.0.vsQkhWCXxv.exe.400000.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.2.vsQkhWCXxv.exe.3c1ff7c.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.0.vsQkhWCXxv.exe.400000.12.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.2.vsQkhWCXxv.exe.3c1b146.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.2.vsQkhWCXxv.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.vsQkhWCXxv.exe.3f7c3a0.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.2.vsQkhWCXxv.exe.5e00000.7.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.0.vsQkhWCXxv.exe.400000.10.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.vsQkhWCXxv.exe.3eca780.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.vsQkhWCXxv.exe.3ddf028.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000011.00000002.517843994.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000011.00000000.334851227.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000011.00000002.526264633.0000000005E00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000011.00000000.336072667.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000011.00000000.335466598.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000011.00000002.523753940.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000011.00000000.337380622.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000011.00000002.524933429.0000000003BD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.342641640.0000000003BB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.343578588.0000000003DAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: vsQkhWCXxv.exe PID: 3472, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: vsQkhWCXxv.exe PID: 6340, type: MEMORYSTR
    Source: 17.0.vsQkhWCXxv.exe.400000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 17.0.vsQkhWCXxv.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 17.0.vsQkhWCXxv.exe.400000.6.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 17.0.vsQkhWCXxv.exe.400000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 17.2.vsQkhWCXxv.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 17.0.vsQkhWCXxv.exe.400000.12.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 17.2.vsQkhWCXxv.exe.5e00000.7.unpackAvira: Label: TR/NanoCore.fadte
    Source: vsQkhWCXxv.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
    Source: vsQkhWCXxv.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

    Networking

    barindex
    Source: Malware configuration extractorURLs: ella666.duckdns.org
    Source: Malware configuration extractorURLs: mikeljack321.ddns.net
    Source: unknownDNS query: name: ella666.duckdns.org
    Source: unknownDNS query: name: mikeljack321.ddns.net
    Source: Joe Sandbox ViewASN Name: DATACLUB-NL DATACLUB-NL
    Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
    Source: Joe Sandbox ViewIP Address: 185.140.53.3 185.140.53.3
    Source: global trafficTCP traffic: 192.168.2.4:49768 -> 185.140.53.3:31788
    Source: global trafficTCP traffic: 192.168.2.4:49773 -> 84.38.129.53:31788
    Source: vsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
    Source: vsQkhWCXxv.exe, 00000000.00000002.340724952.0000000002BE8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: vsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
    Source: vsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
    Source: vsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
    Source: vsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
    Source: vsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
    Source: vsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
    Source: vsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
    Source: vsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
    Source: vsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
    Source: vsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
    Source: vsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
    Source: vsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
    Source: vsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
    Source: vsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
    Source: vsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
    Source: vsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
    Source: vsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
    Source: vsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
    Source: vsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
    Source: vsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
    Source: vsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
    Source: vsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
    Source: vsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
    Source: vsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
    Source: vsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
    Source: unknownDNS traffic detected: queries for: ella666.duckdns.org
    Source: vsQkhWCXxv.exe, 00000000.00000002.340091372.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
    Source: vsQkhWCXxv.exe, 00000011.00000002.526264633.0000000005E00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: RegisterRawInputDevices

    E-Banking Fraud

    barindex
    Source: Yara matchFile source: 17.0.vsQkhWCXxv.exe.400000.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.2.vsQkhWCXxv.exe.5e04629.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.2.vsQkhWCXxv.exe.5e00000.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.2.vsQkhWCXxv.exe.3c1ff7c.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.0.vsQkhWCXxv.exe.400000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.2.vsQkhWCXxv.exe.3c245a5.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.0.vsQkhWCXxv.exe.400000.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.2.vsQkhWCXxv.exe.3c1ff7c.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.0.vsQkhWCXxv.exe.400000.12.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.2.vsQkhWCXxv.exe.3c1b146.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.2.vsQkhWCXxv.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.vsQkhWCXxv.exe.3f7c3a0.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.2.vsQkhWCXxv.exe.5e00000.7.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.0.vsQkhWCXxv.exe.400000.10.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.vsQkhWCXxv.exe.3eca780.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.vsQkhWCXxv.exe.3ddf028.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000011.00000002.517843994.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000011.00000000.334851227.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000011.00000002.526264633.0000000005E00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000011.00000000.336072667.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000011.00000000.335466598.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000011.00000002.523753940.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000011.00000000.337380622.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000011.00000002.524933429.0000000003BD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.342641640.0000000003BB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.343578588.0000000003DAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: vsQkhWCXxv.exe PID: 3472, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: vsQkhWCXxv.exe PID: 6340, type: MEMORYSTR

    System Summary

    barindex
    Source: 17.2.vsQkhWCXxv.exe.5460000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 17.2.vsQkhWCXxv.exe.5460000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 17.0.vsQkhWCXxv.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 17.0.vsQkhWCXxv.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 17.0.vsQkhWCXxv.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 17.2.vsQkhWCXxv.exe.5e04629.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 17.2.vsQkhWCXxv.exe.5e04629.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0.2.vsQkhWCXxv.exe.5340000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables packed with unregistered version of .NET Reactor Author: ditekSHen
    Source: 17.2.vsQkhWCXxv.exe.5e00000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 17.2.vsQkhWCXxv.exe.5e00000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 17.2.vsQkhWCXxv.exe.3c1ff7c.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 17.2.vsQkhWCXxv.exe.3c1ff7c.5.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 17.0.vsQkhWCXxv.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 17.0.vsQkhWCXxv.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 17.0.vsQkhWCXxv.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 17.2.vsQkhWCXxv.exe.3c245a5.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 17.2.vsQkhWCXxv.exe.3c245a5.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 17.0.vsQkhWCXxv.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 17.0.vsQkhWCXxv.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 17.0.vsQkhWCXxv.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 17.2.vsQkhWCXxv.exe.3c1ff7c.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 17.2.vsQkhWCXxv.exe.3c1ff7c.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0.2.vsQkhWCXxv.exe.5340000.4.unpack, type: UNPACKEDPEMatched rule: Detects executables packed with unregistered version of .NET Reactor Author: ditekSHen
    Source: 17.0.vsQkhWCXxv.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 17.0.vsQkhWCXxv.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 17.0.vsQkhWCXxv.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 17.2.vsQkhWCXxv.exe.3c1b146.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 17.2.vsQkhWCXxv.exe.3c1b146.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 17.2.vsQkhWCXxv.exe.3c1b146.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 17.2.vsQkhWCXxv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 17.2.vsQkhWCXxv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 17.2.vsQkhWCXxv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 17.2.vsQkhWCXxv.exe.2bfd828.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 17.2.vsQkhWCXxv.exe.2bfd828.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0.2.vsQkhWCXxv.exe.3f7c3a0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.vsQkhWCXxv.exe.3f7c3a0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0.2.vsQkhWCXxv.exe.3f7c3a0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 17.2.vsQkhWCXxv.exe.5e00000.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 17.2.vsQkhWCXxv.exe.5e00000.7.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 17.0.vsQkhWCXxv.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 17.0.vsQkhWCXxv.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 17.0.vsQkhWCXxv.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0.2.vsQkhWCXxv.exe.3eca780.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.vsQkhWCXxv.exe.3eca780.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0.2.vsQkhWCXxv.exe.3eca780.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0.2.vsQkhWCXxv.exe.3ddf028.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.vsQkhWCXxv.exe.3ddf028.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0.2.vsQkhWCXxv.exe.3ddf028.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000000.00000002.346722851.0000000005340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables packed with unregistered version of .NET Reactor Author: ditekSHen
    Source: 00000011.00000002.517843994.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000011.00000002.517843994.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000011.00000000.334851227.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000011.00000000.334851227.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000011.00000002.526264633.0000000005E00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000011.00000002.526264633.0000000005E00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000011.00000000.336072667.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000011.00000000.336072667.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000011.00000000.335466598.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000011.00000000.335466598.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000011.00000002.525905019.0000000005460000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000011.00000002.525905019.0000000005460000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000011.00000000.337380622.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000011.00000000.337380622.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000011.00000002.524933429.0000000003BD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000000.00000002.342641640.0000000003BB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.342641640.0000000003BB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000000.00000002.343578588.0000000003DAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.343578588.0000000003DAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: vsQkhWCXxv.exe PID: 3472, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: vsQkhWCXxv.exe PID: 3472, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: vsQkhWCXxv.exe PID: 6340, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: vsQkhWCXxv.exe PID: 6340, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: vsQkhWCXxv.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
    Source: 17.2.vsQkhWCXxv.exe.5460000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 17.2.vsQkhWCXxv.exe.5460000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 17.2.vsQkhWCXxv.exe.5460000.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 17.0.vsQkhWCXxv.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 17.0.vsQkhWCXxv.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 17.0.vsQkhWCXxv.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 17.0.vsQkhWCXxv.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 17.2.vsQkhWCXxv.exe.5e04629.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 17.2.vsQkhWCXxv.exe.5e04629.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 17.2.vsQkhWCXxv.exe.5e04629.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0.2.vsQkhWCXxv.exe.5340000.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_EXE_Packed_DotNetReactor author = ditekSHen, description = Detects executables packed with unregistered version of .NET Reactor
    Source: 17.2.vsQkhWCXxv.exe.5e00000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 17.2.vsQkhWCXxv.exe.5e00000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 17.2.vsQkhWCXxv.exe.5e00000.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 17.2.vsQkhWCXxv.exe.3c1ff7c.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 17.2.vsQkhWCXxv.exe.3c1ff7c.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 17.2.vsQkhWCXxv.exe.3c1ff7c.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 17.0.vsQkhWCXxv.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 17.0.vsQkhWCXxv.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 17.0.vsQkhWCXxv.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 17.0.vsQkhWCXxv.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 17.2.vsQkhWCXxv.exe.3c245a5.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 17.2.vsQkhWCXxv.exe.3c245a5.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 17.2.vsQkhWCXxv.exe.3c245a5.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 17.0.vsQkhWCXxv.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 17.0.vsQkhWCXxv.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 17.0.vsQkhWCXxv.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 17.0.vsQkhWCXxv.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 17.2.vsQkhWCXxv.exe.3c1ff7c.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 17.2.vsQkhWCXxv.exe.3c1ff7c.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 17.2.vsQkhWCXxv.exe.3c1ff7c.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0.2.vsQkhWCXxv.exe.5340000.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_EXE_Packed_DotNetReactor author = ditekSHen, description = Detects executables packed with unregistered version of .NET Reactor
    Source: 17.0.vsQkhWCXxv.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 17.0.vsQkhWCXxv.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 17.0.vsQkhWCXxv.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 17.0.vsQkhWCXxv.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 17.2.vsQkhWCXxv.exe.3c1b146.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 17.2.vsQkhWCXxv.exe.3c1b146.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 17.2.vsQkhWCXxv.exe.3c1b146.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 17.2.vsQkhWCXxv.exe.3c1b146.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 17.2.vsQkhWCXxv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 17.2.vsQkhWCXxv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 17.2.vsQkhWCXxv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 17.2.vsQkhWCXxv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 17.2.vsQkhWCXxv.exe.2bfd828.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 17.2.vsQkhWCXxv.exe.2bfd828.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 17.2.vsQkhWCXxv.exe.2bfd828.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0.2.vsQkhWCXxv.exe.3f7c3a0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0.2.vsQkhWCXxv.exe.3f7c3a0.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0.2.vsQkhWCXxv.exe.3f7c3a0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 17.2.vsQkhWCXxv.exe.5e00000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 17.2.vsQkhWCXxv.exe.5e00000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 17.2.vsQkhWCXxv.exe.5e00000.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 17.0.vsQkhWCXxv.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 17.0.vsQkhWCXxv.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 17.0.vsQkhWCXxv.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 17.0.vsQkhWCXxv.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0.2.vsQkhWCXxv.exe.3eca780.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0.2.vsQkhWCXxv.exe.3eca780.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0.2.vsQkhWCXxv.exe.3eca780.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0.2.vsQkhWCXxv.exe.3ddf028.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0.2.vsQkhWCXxv.exe.3ddf028.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0.2.vsQkhWCXxv.exe.3ddf028.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000000.00000002.346722851.0000000005340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_EXE_Packed_DotNetReactor author = ditekSHen, description = Detects executables packed with unregistered version of .NET Reactor
    Source: 00000011.00000002.517843994.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000011.00000002.517843994.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000011.00000000.334851227.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000011.00000000.334851227.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000011.00000002.526264633.0000000005E00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000011.00000002.526264633.0000000005E00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000011.00000002.526264633.0000000005E00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000011.00000000.336072667.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000011.00000000.336072667.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000011.00000000.335466598.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000011.00000000.335466598.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000011.00000002.525905019.0000000005460000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000011.00000002.525905019.0000000005460000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000011.00000002.525905019.0000000005460000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000011.00000000.337380622.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000011.00000000.337380622.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000011.00000002.524933429.0000000003BD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000000.00000002.342641640.0000000003BB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000000.00000002.342641640.0000000003BB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000000.00000002.343578588.0000000003DAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000000.00000002.343578588.0000000003DAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: vsQkhWCXxv.exe PID: 3472, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: vsQkhWCXxv.exe PID: 3472, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: vsQkhWCXxv.exe PID: 6340, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: vsQkhWCXxv.exe PID: 6340, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeCode function: 0_2_079956580_2_07995658
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeCode function: 0_2_079956680_2_07995668
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeCode function: 0_2_079900060_2_07990006
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeCode function: 0_2_079900400_2_07990040
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeCode function: 0_2_006F92430_2_006F9243
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeCode function: 17_2_0079924317_2_00799243
    Source: vsQkhWCXxv.exe, 00000000.00000000.248502147.00000000007FE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameRSAPKCS1SHA256SignatureDescript.exe4 vs vsQkhWCXxv.exe
    Source: vsQkhWCXxv.exe, 00000000.00000002.340091372.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs vsQkhWCXxv.exe
    Source: vsQkhWCXxv.exe, 00000000.00000002.348053291.0000000007610000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs vsQkhWCXxv.exe
    Source: vsQkhWCXxv.exe, 00000000.00000002.343578588.0000000003DAA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs vsQkhWCXxv.exe
    Source: vsQkhWCXxv.exe, 00000011.00000000.331310717.000000000089E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameRSAPKCS1SHA256SignatureDescript.exe4 vs vsQkhWCXxv.exe
    Source: vsQkhWCXxv.exe, 00000011.00000002.526264633.0000000005E00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs vsQkhWCXxv.exe
    Source: vsQkhWCXxv.exe, 00000011.00000002.526264633.0000000005E00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs vsQkhWCXxv.exe
    Source: vsQkhWCXxv.exe, 00000011.00000002.523753940.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs vsQkhWCXxv.exe
    Source: vsQkhWCXxv.exe, 00000011.00000002.526292058.0000000005E20000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs vsQkhWCXxv.exe
    Source: vsQkhWCXxv.exe, 00000011.00000002.524933429.0000000003BD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs vsQkhWCXxv.exe
    Source: vsQkhWCXxv.exe, 00000011.00000002.524933429.0000000003BD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs vsQkhWCXxv.exe
    Source: vsQkhWCXxv.exe, 00000011.00000002.524933429.0000000003BD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs vsQkhWCXxv.exe
    Source: vsQkhWCXxv.exeBinary or memory string: OriginalFilenameRSAPKCS1SHA256SignatureDescript.exe4 vs vsQkhWCXxv.exe
    Source: vsQkhWCXxv.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: vyJCJmhRnRK.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: vsQkhWCXxv.exeVirustotal: Detection: 50%
    Source: vsQkhWCXxv.exeMetadefender: Detection: 31%
    Source: vsQkhWCXxv.exeReversingLabs: Detection: 60%
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeFile read: C:\Users\user\Desktop\vsQkhWCXxv.exeJump to behavior
    Source: vsQkhWCXxv.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\vsQkhWCXxv.exe "C:\Users\user\Desktop\vsQkhWCXxv.exe"
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vyJCJmhRnRK.exe
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vyJCJmhRnRK" /XML "C:\Users\user\AppData\Local\Temp\tmp5508.tmp
    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess created: C:\Users\user\Desktop\vsQkhWCXxv.exe C:\Users\user\Desktop\vsQkhWCXxv.exe
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vyJCJmhRnRK.exeJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vyJCJmhRnRK" /XML "C:\Users\user\AppData\Local\Temp\tmp5508.tmpJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess created: C:\Users\user\Desktop\vsQkhWCXxv.exe C:\Users\user\Desktop\vsQkhWCXxv.exeJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeFile created: C:\Users\user\AppData\Roaming\vyJCJmhRnRK.exeJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeFile created: C:\Users\user\AppData\Local\Temp\tmp5508.tmpJump to behavior
    Source: classification engineClassification label: mal100.troj.evad.winEXE@9/9@9/3
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
    Source: 17.0.vsQkhWCXxv.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
    Source: 17.0.vsQkhWCXxv.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
    Source: 17.0.vsQkhWCXxv.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
    Source: 17.0.vsQkhWCXxv.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
    Source: 17.0.vsQkhWCXxv.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
    Source: 17.0.vsQkhWCXxv.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
    Source: 17.0.vsQkhWCXxv.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
    Source: 17.0.vsQkhWCXxv.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
    Source: 17.2.vsQkhWCXxv.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
    Source: 17.2.vsQkhWCXxv.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{ac8dc510-d280-4bfd-8a77-cea13b6d4c64}
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6288:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1308:120:WilError_01
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeMutant created: \Sessions\1\BaseNamedObjects\mtOZNOFWuegJlXfDKCyjcrmdHs
    Source: 17.0.vsQkhWCXxv.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
    Source: 17.0.vsQkhWCXxv.exe.400000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
    Source: 17.0.vsQkhWCXxv.exe.400000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
    Source: 17.0.vsQkhWCXxv.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
    Source: 17.0.vsQkhWCXxv.exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
    Source: 17.0.vsQkhWCXxv.exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
    Source: 17.0.vsQkhWCXxv.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
    Source: 17.0.vsQkhWCXxv.exe.400000.6.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
    Source: 17.0.vsQkhWCXxv.exe.400000.6.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
    Source: vsQkhWCXxv.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
    Source: vsQkhWCXxv.exeStatic file information: File size 1093632 > 1048576
    Source: vsQkhWCXxv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: vsQkhWCXxv.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x10a400
    Source: vsQkhWCXxv.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

    Data Obfuscation

    barindex
    Source: vsQkhWCXxv.exe, View/EngineView.cs.Net Code: IDeferred System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: vyJCJmhRnRK.exe.0.dr, View/EngineView.cs.Net Code: IDeferred System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 0.0.vsQkhWCXxv.exe.6f0000.0.unpack, View/EngineView.cs.Net Code: IDeferred System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 0.2.vsQkhWCXxv.exe.6f0000.0.unpack, View/EngineView.cs.Net Code: IDeferred System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 17.0.vsQkhWCXxv.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 17.0.vsQkhWCXxv.exe.400000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 17.2.vsQkhWCXxv.exe.790000.1.unpack, View/EngineView.cs.Net Code: IDeferred System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 17.0.vsQkhWCXxv.exe.790000.0.unpack, View/EngineView.cs.Net Code: IDeferred System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 17.0.vsQkhWCXxv.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 17.0.vsQkhWCXxv.exe.400000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 17.0.vsQkhWCXxv.exe.790000.9.unpack, View/EngineView.cs.Net Code: IDeferred System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 17.0.vsQkhWCXxv.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 17.0.vsQkhWCXxv.exe.400000.6.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 17.0.vsQkhWCXxv.exe.790000.1.unpack, View/EngineView.cs.Net Code: IDeferred System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 17.0.vsQkhWCXxv.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 17.0.vsQkhWCXxv.exe.400000.8.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 17.2.vsQkhWCXxv.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 17.2.vsQkhWCXxv.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 17.0.vsQkhWCXxv.exe.790000.5.unpack, View/EngineView.cs.Net Code: IDeferred System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: initial sampleStatic PE information: section name: .text entropy: 7.670144875
    Source: initial sampleStatic PE information: section name: .text entropy: 7.670144875
    Source: 17.0.vsQkhWCXxv.exe.400000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
    Source: 17.0.vsQkhWCXxv.exe.400000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
    Source: 17.0.vsQkhWCXxv.exe.400000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
    Source: 17.0.vsQkhWCXxv.exe.400000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
    Source: 17.0.vsQkhWCXxv.exe.400000.6.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
    Source: 17.0.vsQkhWCXxv.exe.400000.6.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
    Source: 17.0.vsQkhWCXxv.exe.400000.8.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
    Source: 17.0.vsQkhWCXxv.exe.400000.8.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
    Source: 17.2.vsQkhWCXxv.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
    Source: 17.2.vsQkhWCXxv.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeFile created: C:\Users\user\AppData\Roaming\vyJCJmhRnRK.exeJump to dropped file

    Boot Survival

    barindex
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vyJCJmhRnRK" /XML "C:\Users\user\AppData\Local\Temp\tmp5508.tmp

    Hooking and other Techniques for Hiding and Protection

    barindex
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeFile opened: C:\Users\user\Desktop\vsQkhWCXxv.exe:Zone.Identifier read attributes | deleteJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Source: Yara matchFile source: 00000000.00000002.340724952.0000000002BE8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: vsQkhWCXxv.exe PID: 3472, type: MEMORYSTR
    Source: vsQkhWCXxv.exe, 00000000.00000002.340724952.0000000002BE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
    Source: vsQkhWCXxv.exe, 00000000.00000002.340724952.0000000002BE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exe TID: 3308Thread sleep time: -38219s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exe TID: 5736Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exe TID: 4948Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6268Thread sleep time: -8301034833169293s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exe TID: 6524Thread sleep time: -23058430092136925s >= -30000sJump to behavior
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6183Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2410Jump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeWindow / User API: threadDelayed 4815Jump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeWindow / User API: threadDelayed 4462Jump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeWindow / User API: foregroundWindowGot 735Jump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeThread delayed: delay time: 38219Jump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: vsQkhWCXxv.exe, 00000000.00000002.340724952.0000000002BE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
    Source: vsQkhWCXxv.exe, 00000000.00000002.340724952.0000000002BE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
    Source: vsQkhWCXxv.exe, 00000000.00000002.340724952.0000000002BE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
    Source: vsQkhWCXxv.exe, 00000011.00000002.522405321.0000000000FC9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: vsQkhWCXxv.exe, 00000000.00000002.340724952.0000000002BE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
    Source: vsQkhWCXxv.exe, 00000000.00000002.340208299.0000000000F1F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}`
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeMemory allocated: page read and write | page guardJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vyJCJmhRnRK.exe
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vyJCJmhRnRK.exeJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vyJCJmhRnRK.exeJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vyJCJmhRnRK" /XML "C:\Users\user\AppData\Local\Temp\tmp5508.tmpJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeProcess created: C:\Users\user\Desktop\vsQkhWCXxv.exe C:\Users\user\Desktop\vsQkhWCXxv.exeJump to behavior
    Source: vsQkhWCXxv.exe, 00000011.00000002.524290290.0000000002E1B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerHaNk
    Source: vsQkhWCXxv.exe, 00000011.00000002.524710629.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp, vsQkhWCXxv.exe, 00000011.00000002.526471576.00000000062FC000.00000004.00000010.00020000.00000000.sdmp, vsQkhWCXxv.exe, 00000011.00000002.523988273.0000000002CB4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
    Source: vsQkhWCXxv.exe, 00000011.00000002.524865056.00000000030A6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerP0r
    Source: vsQkhWCXxv.exe, 00000011.00000002.524550875.0000000002EBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managerx
    Source: vsQkhWCXxv.exe, 00000011.00000002.523988273.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, vsQkhWCXxv.exe, 00000011.00000002.523878380.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, vsQkhWCXxv.exe, 00000011.00000002.524290290.0000000002E1B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager|$;
    Source: vsQkhWCXxv.exe, 00000011.00000002.523878380.0000000002C3D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managert
    Source: vsQkhWCXxv.exe, 00000011.00000002.526341408.0000000005F7D000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: lProgram Manager
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Users\user\Desktop\vsQkhWCXxv.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Users\user\Desktop\vsQkhWCXxv.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\vsQkhWCXxv.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Stealing of Sensitive Information

    barindex
    Source: Yara matchFile source: 17.0.vsQkhWCXxv.exe.400000.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.2.vsQkhWCXxv.exe.5e04629.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.2.vsQkhWCXxv.exe.5e00000.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.2.vsQkhWCXxv.exe.3c1ff7c.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.0.vsQkhWCXxv.exe.400000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.2.vsQkhWCXxv.exe.3c245a5.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.0.vsQkhWCXxv.exe.400000.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.2.vsQkhWCXxv.exe.3c1ff7c.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.0.vsQkhWCXxv.exe.400000.12.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.2.vsQkhWCXxv.exe.3c1b146.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.2.vsQkhWCXxv.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.vsQkhWCXxv.exe.3f7c3a0.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.2.vsQkhWCXxv.exe.5e00000.7.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.0.vsQkhWCXxv.exe.400000.10.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.vsQkhWCXxv.exe.3eca780.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.vsQkhWCXxv.exe.3ddf028.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000011.00000002.517843994.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000011.00000000.334851227.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000011.00000002.526264633.0000000005E00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000011.00000000.336072667.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000011.00000000.335466598.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000011.00000002.523753940.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000011.00000000.337380622.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000011.00000002.524933429.0000000003BD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.342641640.0000000003BB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.343578588.0000000003DAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: vsQkhWCXxv.exe PID: 3472, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: vsQkhWCXxv.exe PID: 6340, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Source: vsQkhWCXxv.exe, 00000000.00000002.342641640.0000000003BB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: vsQkhWCXxv.exe, 00000000.00000002.343578588.0000000003DAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: vsQkhWCXxv.exe, 00000011.00000002.517843994.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: vsQkhWCXxv.exe, 00000011.00000002.526264633.0000000005E00000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: vsQkhWCXxv.exe, 00000011.00000002.523753940.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: vsQkhWCXxv.exe, 00000011.00000002.523753940.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: vsQkhWCXxv.exe, 00000011.00000002.524933429.0000000003BD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: vsQkhWCXxv.exe, 00000011.00000002.524933429.0000000003BD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: Yara matchFile source: 17.0.vsQkhWCXxv.exe.400000.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.2.vsQkhWCXxv.exe.5e04629.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.2.vsQkhWCXxv.exe.5e00000.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.2.vsQkhWCXxv.exe.3c1ff7c.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.0.vsQkhWCXxv.exe.400000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.2.vsQkhWCXxv.exe.3c245a5.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.0.vsQkhWCXxv.exe.400000.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.2.vsQkhWCXxv.exe.3c1ff7c.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.0.vsQkhWCXxv.exe.400000.12.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.2.vsQkhWCXxv.exe.3c1b146.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.2.vsQkhWCXxv.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.vsQkhWCXxv.exe.3f7c3a0.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.2.vsQkhWCXxv.exe.5e00000.7.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 17.0.vsQkhWCXxv.exe.400000.10.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.vsQkhWCXxv.exe.3eca780.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.vsQkhWCXxv.exe.3ddf028.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000011.00000002.517843994.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000011.00000000.334851227.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000011.00000002.526264633.0000000005E00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000011.00000000.336072667.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000011.00000000.335466598.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000011.00000002.523753940.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000011.00000000.337380622.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000011.00000002.524933429.0000000003BD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.342641640.0000000003BB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.343578588.0000000003DAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: vsQkhWCXxv.exe PID: 3472, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: vsQkhWCXxv.exe PID: 6340, type: MEMORYSTR
    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts1
    Scheduled Task/Job
    1
    Scheduled Task/Job
    12
    Process Injection
    1
    Masquerading
    21
    Input Capture
    1
    Query Registry
    Remote Services21
    Input Capture
    Exfiltration Over Other Network Medium1
    Encrypted Channel
    Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    Scheduled Task/Job
    11
    Disable or Modify Tools
    LSASS Memory21
    Security Software Discovery
    Remote Desktop Protocol11
    Archive Collected Data
    Exfiltration Over Bluetooth1
    Non-Standard Port
    Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
    Virtualization/Sandbox Evasion
    Security Account Manager2
    Process Discovery
    SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
    Remote Access Software
    Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)12
    Process Injection
    NTDS21
    Virtualization/Sandbox Evasion
    Distributed Component Object ModelInput CaptureScheduled Transfer1
    Non-Application Layer Protocol
    SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
    Deobfuscate/Decode Files or Information
    LSA Secrets1
    Application Window Discovery
    SSHKeyloggingData Transfer Size Limits21
    Application Layer Protocol
    Manipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.common1
    Hidden Files and Directories
    Cached Domain Credentials1
    File and Directory Discovery
    VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup Items1
    Obfuscated Files or Information
    DCSync12
    System Information Discovery
    Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job13
    Software Packing
    Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 625006 Sample: vsQkhWCXxv.exe Startdate: 12/05/2022 Architecture: WINDOWS Score: 100 35 ella666.duckdns.org 2->35 43 Multi AV Scanner detection for domain / URL 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 13 other signatures 2->49 8 vsQkhWCXxv.exe 7 2->8         started        signatures3 process4 file5 25 C:\Users\user\AppData\...\vyJCJmhRnRK.exe, PE32 8->25 dropped 27 C:\Users\...\vyJCJmhRnRK.exe:Zone.Identifier, ASCII 8->27 dropped 29 C:\Users\user\AppData\Local\...\tmp5508.tmp, XML 8->29 dropped 31 C:\Users\user\AppData\...\vsQkhWCXxv.exe.log, ASCII 8->31 dropped 51 Uses schtasks.exe or at.exe to add and modify task schedules 8->51 53 Adds a directory exclusion to Windows Defender 8->53 12 vsQkhWCXxv.exe 6 8->12         started        17 powershell.exe 25 8->17         started        19 schtasks.exe 1 8->19         started        signatures6 process7 dnsIp8 37 ella666.duckdns.org 185.140.53.3, 31788, 49768, 49769 DAVID_CRAIGGG Sweden 12->37 39 mikeljack321.ddns.net 84.38.129.53, 31788 DATACLUB-NL Latvia 12->39 41 192.168.2.1 unknown unknown 12->41 33 C:\Users\user\AppData\Roaming\...\run.dat, data 12->33 dropped 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->55 21 conhost.exe 17->21         started        23 conhost.exe 19->23         started        file9 signatures10 process11

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand
    SourceDetectionScannerLabelLink
    vsQkhWCXxv.exe51%VirustotalBrowse
    vsQkhWCXxv.exe31%MetadefenderBrowse
    vsQkhWCXxv.exe61%ReversingLabsByteCode-MSIL.Trojan.AgenteslaPacker
    vsQkhWCXxv.exe100%AviraTR/AD.BDSNanoCoreClient.wibth
    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Roaming\vyJCJmhRnRK.exe100%AviraTR/AD.BDSNanoCoreClient.wibth
    C:\Users\user\AppData\Roaming\vyJCJmhRnRK.exe31%MetadefenderBrowse
    C:\Users\user\AppData\Roaming\vyJCJmhRnRK.exe61%ReversingLabsByteCode-MSIL.Trojan.AgenteslaPacker
    SourceDetectionScannerLabelLinkDownload
    17.0.vsQkhWCXxv.exe.400000.10.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    17.2.vsQkhWCXxv.exe.790000.1.unpack100%AviraHEUR/AGEN.1247014Download File
    17.0.vsQkhWCXxv.exe.790000.0.unpack100%AviraHEUR/AGEN.1247014Download File
    17.0.vsQkhWCXxv.exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    17.0.vsQkhWCXxv.exe.790000.9.unpack100%AviraHEUR/AGEN.1247014Download File
    17.0.vsQkhWCXxv.exe.400000.6.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    17.0.vsQkhWCXxv.exe.790000.1.unpack100%AviraHEUR/AGEN.1247014Download File
    17.0.vsQkhWCXxv.exe.400000.8.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    17.2.vsQkhWCXxv.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    17.0.vsQkhWCXxv.exe.790000.5.unpack100%AviraHEUR/AGEN.1247014Download File
    17.0.vsQkhWCXxv.exe.790000.3.unpack100%AviraHEUR/AGEN.1247014Download File
    0.0.vsQkhWCXxv.exe.6f0000.0.unpack100%AviraHEUR/AGEN.1247014Download File
    0.2.vsQkhWCXxv.exe.6f0000.0.unpack100%AviraHEUR/AGEN.1247014Download File
    17.0.vsQkhWCXxv.exe.790000.7.unpack100%AviraHEUR/AGEN.1247014Download File
    17.0.vsQkhWCXxv.exe.400000.12.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    17.0.vsQkhWCXxv.exe.790000.11.unpack100%AviraHEUR/AGEN.1247014Download File
    17.0.vsQkhWCXxv.exe.790000.2.unpack100%AviraHEUR/AGEN.1247014Download File
    17.2.vsQkhWCXxv.exe.5e00000.7.unpack100%AviraTR/NanoCore.fadteDownload File
    17.0.vsQkhWCXxv.exe.790000.13.unpack100%AviraHEUR/AGEN.1247014Download File
    SourceDetectionScannerLabelLink
    mikeljack321.ddns.net7%VirustotalBrowse
    ella666.duckdns.org12%VirustotalBrowse
    SourceDetectionScannerLabelLink
    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
    http://www.tiro.com0%URL Reputationsafe
    http://www.goodfont.co.kr0%URL Reputationsafe
    http://www.carterandcone.coml0%URL Reputationsafe
    http://www.sajatypeworks.com0%URL Reputationsafe
    http://www.typography.netD0%URL Reputationsafe
    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
    http://fontfabrik.com0%URL Reputationsafe
    http://www.founder.com.cn/cn0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
    ella666.duckdns.org100%Avira URL Cloudmalware
    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
    http://www.sandoll.co.kr0%URL Reputationsafe
    mikeljack321.ddns.net0%Avira URL Cloudsafe
    http://www.urwpp.deDPlease0%URL Reputationsafe
    http://www.zhongyicts.com.cn0%URL Reputationsafe
    http://www.sakkal.com0%URL Reputationsafe
    NameIPActiveMaliciousAntivirus DetectionReputation
    mikeljack321.ddns.net
    84.38.129.53
    truetrueunknown
    ella666.duckdns.org
    185.140.53.3
    truetrueunknown
    NameMaliciousAntivirus DetectionReputation
    ella666.duckdns.orgtrue
    • Avira URL Cloud: malware
    unknown
    mikeljack321.ddns.nettrue
    • Avira URL Cloud: safe
    unknown
    NameSourceMaliciousAntivirus DetectionReputation
    http://www.apache.org/licenses/LICENSE-2.0vsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpfalse
      high
      http://www.fontbureau.comvsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpfalse
        high
        http://www.fontbureau.com/designersGvsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpfalse
          high
          http://www.fontbureau.com/designers/?vsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpfalse
            high
            http://www.founder.com.cn/cn/bThevsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            unknown
            http://www.fontbureau.com/designers?vsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpfalse
              high
              http://www.tiro.comvsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              unknown
              http://www.fontbureau.com/designersvsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                http://www.goodfont.co.krvsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                unknown
                http://www.carterandcone.comlvsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                unknown
                http://www.sajatypeworks.comvsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                unknown
                http://www.typography.netDvsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                unknown
                http://www.fontbureau.com/designers/cabarga.htmlNvsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  http://www.founder.com.cn/cn/cThevsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.galapagosdesign.com/staff/dennis.htmvsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://fontfabrik.comvsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.founder.com.cn/cnvsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.fontbureau.com/designers/frere-user.htmlvsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    http://www.jiyu-kobo.co.jp/vsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://www.galapagosdesign.com/DPleasevsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://www.fontbureau.com/designers8vsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      http://www.fonts.comvsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        http://www.sandoll.co.krvsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.urwpp.deDPleasevsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.zhongyicts.com.cnvsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namevsQkhWCXxv.exe, 00000000.00000002.340724952.0000000002BE8000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          http://www.sakkal.comvsQkhWCXxv.exe, 00000000.00000002.347282671.0000000006C62000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs
                          IPDomainCountryFlagASNASN NameMalicious
                          84.38.129.53
                          mikeljack321.ddns.netLatvia
                          203557DATACLUB-NLtrue
                          185.140.53.3
                          ella666.duckdns.orgSweden
                          209623DAVID_CRAIGGGtrue
                          IP
                          192.168.2.1
                          Joe Sandbox Version:34.0.0 Boulder Opal
                          Analysis ID:625006
                          Start date and time: 12/05/202210:29:442022-05-12 10:29:44 +02:00
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 10m 50s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Sample file name:vsQkhWCXxv.exe
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                          Number of analysed new started processes analysed:30
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@9/9@9/3
                          EGA Information:
                          • Successful, ratio: 100%
                          HDC Information:
                          • Successful, ratio: 2.4% (good quality ratio 2.2%)
                          • Quality average: 65.2%
                          • Quality standard deviation: 26.4%
                          HCA Information:
                          • Successful, ratio: 97%
                          • Number of executed functions: 5
                          • Number of non-executed functions: 4
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Adjust boot time
                          • Enable AMSI
                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                          • Excluded IPs from analysis (whitelisted): 20.223.24.244
                          • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, login.live.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          TimeTypeDescription
                          10:31:02API Interceptor675x Sleep call for process: vsQkhWCXxv.exe modified
                          10:31:30API Interceptor42x Sleep call for process: powershell.exe modified
                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          84.38.129.53Ovrhnzifwt.exeGet hashmaliciousBrowse
                            185.140.53.3e1f388b8a086e034b1fbd94ca7341008.exeGet hashmaliciousBrowse
                              928272_Payment_Receipt.vbsGet hashmaliciousBrowse
                                N2K18_Payment_Copy.vbsGet hashmaliciousBrowse
                                  U2M19O_Payment_Copy.vbsGet hashmaliciousBrowse
                                    J3m1a_Payment_Copy.vbsGet hashmaliciousBrowse
                                      W3M1PaymentReceipt.exeGet hashmaliciousBrowse
                                        T1M28CPaymentReceipt.exeGet hashmaliciousBrowse
                                          gj.txt.ps1Get hashmaliciousBrowse
                                            G7M_Payment_Confirmation_Receipt.vbsGet hashmaliciousBrowse
                                              p9Ts9VV2NZ.exeGet hashmaliciousBrowse
                                                H1GC5Z4C39PAYMENTRECEIPT.exeGet hashmaliciousBrowse
                                                  ValorantLogin.exeGet hashmaliciousBrowse
                                                    OMNH11mXX2.exeGet hashmaliciousBrowse
                                                      FZJCUwvp0s.exeGet hashmaliciousBrowse
                                                        J5K18S6C5V43.exeGet hashmaliciousBrowse
                                                          0J2HA5M3A.exeGet hashmaliciousBrowse
                                                            01_exctracted.exeGet hashmaliciousBrowse
                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              mikeljack321.ddns.net1FB6ncJ5XP.exeGet hashmaliciousBrowse
                                                              • 185.140.53.6
                                                              ella666.duckdns.orge1f388b8a086e034b1fbd94ca7341008.exeGet hashmaliciousBrowse
                                                              • 185.140.53.3
                                                              Ovrhnzifwt.exeGet hashmaliciousBrowse
                                                              • 84.38.129.53
                                                              1FB6ncJ5XP.exeGet hashmaliciousBrowse
                                                              • 185.140.53.6
                                                              DeKjb2fKJT.exeGet hashmaliciousBrowse
                                                              • 185.140.53.6
                                                              6cg2ZIoAHQ.exeGet hashmaliciousBrowse
                                                              • 79.134.225.10
                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              DATACLUB-NLPO-Potvrda OUT210073640.xlsxGet hashmaliciousBrowse
                                                              • 84.38.129.62
                                                              Order_M456 .xlsxGet hashmaliciousBrowse
                                                              • 84.38.133.167
                                                              PO- Potvrda OUT210073640.xlsxGet hashmaliciousBrowse
                                                              • 84.38.129.62
                                                              REQUEST FOR PRICELIST QUOTATION.xlsxGet hashmaliciousBrowse
                                                              • 84.38.133.116
                                                              SOA_PI1903.xlsxGet hashmaliciousBrowse
                                                              • 84.38.133.167
                                                              PO-556MM.xlsxGet hashmaliciousBrowse
                                                              • 185.29.11.52
                                                              _SOA_090422.xlsxGet hashmaliciousBrowse
                                                              • 84.38.133.168
                                                              REQUESTED PRICELIST.xlsxGet hashmaliciousBrowse
                                                              • 84.38.133.116
                                                              Swift Potvrda OUT210073640.xlsxGet hashmaliciousBrowse
                                                              • 185.29.11.52
                                                              Revised PI.xlsxGet hashmaliciousBrowse
                                                              • 84.38.133.165
                                                              File.jarGet hashmaliciousBrowse
                                                              • 185.29.11.5
                                                              8AtMf6XNDSGet hashmaliciousBrowse
                                                              • 185.220.119.206
                                                              1SeQsixj57.exeGet hashmaliciousBrowse
                                                              • 84.38.133.52
                                                              Doc_SP8147.docxGet hashmaliciousBrowse
                                                              • 185.29.11.32
                                                              Ovrhnzifwt.exeGet hashmaliciousBrowse
                                                              • 84.38.129.53
                                                              from-iso5220841PDF.VBS.vbsGet hashmaliciousBrowse
                                                              • 84.38.129.126
                                                              T_T COPY_pdf.vbsGet hashmaliciousBrowse
                                                              • 84.38.129.126
                                                              nuevo pedidopdf.vbsGet hashmaliciousBrowse
                                                              • 84.38.129.126
                                                              22909_364_pdf.vbsGet hashmaliciousBrowse
                                                              • 84.38.129.126
                                                              974208_982_pdf.vbsGet hashmaliciousBrowse
                                                              • 84.38.129.126
                                                              DAVID_CRAIGGGOEc88DZdiO.exeGet hashmaliciousBrowse
                                                              • 91.193.75.132
                                                              SecuriteInfo.com.Trojan.PackedNET.331.28355.exeGet hashmaliciousBrowse
                                                              • 91.193.75.133
                                                              qs5yhVj1bE.exeGet hashmaliciousBrowse
                                                              • 91.193.75.221
                                                              Ki8WlC0ddA.exeGet hashmaliciousBrowse
                                                              • 91.193.75.221
                                                              xVDAUvl3Pn.exeGet hashmaliciousBrowse
                                                              • 91.193.75.134
                                                              e1f388b8a086e034b1fbd94ca7341008.exeGet hashmaliciousBrowse
                                                              • 185.140.53.3
                                                              CMACGM-WBINS9013246-20210714-125247.pdf.vbsGet hashmaliciousBrowse
                                                              • 91.193.75.131
                                                              po-iteam DOO00076543.exeGet hashmaliciousBrowse
                                                              • 91.193.75.132
                                                              Charter request details.vbsGet hashmaliciousBrowse
                                                              • 91.193.75.194
                                                              SWIFT_poruka ERSTE BANK ad NOVI SAD.vbsGet hashmaliciousBrowse
                                                              • 91.193.75.133
                                                              IMG2_455982134.exeGet hashmaliciousBrowse
                                                              • 185.140.53.174
                                                              Purchase Report.vbsGet hashmaliciousBrowse
                                                              • 91.193.75.175
                                                              BRINK GMBH BESTELLUNG _ ANFORDERUNG SH238429 12x2.5 mm#U00b2.exeGet hashmaliciousBrowse
                                                              • 185.140.53.72
                                                              Scan 1000276325462 document.vbsGet hashmaliciousBrowse
                                                              • 91.193.75.131
                                                              NEW ORDER 0522 202204280000883 pdf.vbsGet hashmaliciousBrowse
                                                              • 91.193.75.132
                                                              commercial invoice.vbsGet hashmaliciousBrowse
                                                              • 185.165.153.84
                                                              CHECK#718263.VBSGet hashmaliciousBrowse
                                                              • 185.140.53.12
                                                              eW8XdXzJ0K.exeGet hashmaliciousBrowse
                                                              • 91.193.75.227
                                                              HIkhD4L4gC.exeGet hashmaliciousBrowse
                                                              • 185.140.53.212
                                                              DHL Shipment Notice of Arrival AWB 8032697940.vbsGet hashmaliciousBrowse
                                                              • 91.193.75.209
                                                              No context
                                                              No context
                                                              Process:C:\Users\user\Desktop\vsQkhWCXxv.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:modified
                                                              Size (bytes):1216
                                                              Entropy (8bit):5.355304211458859
                                                              Encrypted:false
                                                              SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                              MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                              SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                              SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                              SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                              Malicious:true
                                                              Reputation:high, very likely benign file
                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):22252
                                                              Entropy (8bit):5.599636441543448
                                                              Encrypted:false
                                                              SSDEEP:384:ptCDrq0Rvr96K0JvKSPMnAjultIQ47nvPg3hInEML+efmAV7eWMAeVZQvnI++KE:avR6Kz6MACltL866PKCpat+4
                                                              MD5:8A1BB05627515BF89BD00839D5041BA6
                                                              SHA1:0FA91C60610811EFD9023FB580AF5682DB5D63BB
                                                              SHA-256:46091A6623122EDA14D3EF45C186E3A6AA382F97B004457CF9341DEB91A98FFC
                                                              SHA-512:6340102BB75E72A4FF3A81290914900B5B6D976FE2A93706D9BBBDC0373B5089D8E9DE2FD66191C8C98BE6E0AE21526982113E2D5C46DF1A9F189A515B05DA7D
                                                              Malicious:false
                                                              Reputation:low
                                                              Preview:@...e...........s.......K.............c...,..........@..........H...............<@.^.L."My...:X..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:very short file (no magic)
                                                              Category:dropped
                                                              Size (bytes):1
                                                              Entropy (8bit):0.0
                                                              Encrypted:false
                                                              SSDEEP:3:U:U
                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                              Malicious:false
                                                              Preview:1
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:very short file (no magic)
                                                              Category:dropped
                                                              Size (bytes):1
                                                              Entropy (8bit):0.0
                                                              Encrypted:false
                                                              SSDEEP:3:U:U
                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                              Malicious:false
                                                              Preview:1
                                                              Process:C:\Users\user\Desktop\vsQkhWCXxv.exe
                                                              File Type:XML 1.0 document, ASCII text
                                                              Category:dropped
                                                              Size (bytes):1598
                                                              Entropy (8bit):5.145443390101725
                                                              Encrypted:false
                                                              SSDEEP:24:2di4+S2qh/S1KTy1moCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtazNLxvn:cgeKwYrFdOFzOzN33ODOiDdKrsuTgv
                                                              MD5:12B9B2BAAC3F00A5E887C9C33ABC0C1E
                                                              SHA1:0F510DF35E91D3D9461DDB4E86D5B07471E07A4F
                                                              SHA-256:670F799B23BDAAA40E6DEC6DED42E675CEFF4826A1F27CBFE4D2CCD9731D4451
                                                              SHA-512:D35AD7B94A732ACB816F0461313D83EE02D656F368234E4F88ADD1CF640CA62024D6560969D3E38035EA2E8F324053B79A7F00600431C13C1697CB6CD288A896
                                                              Malicious:true
                                                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <
                                                              Process:C:\Users\user\Desktop\vsQkhWCXxv.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):8
                                                              Entropy (8bit):3.0
                                                              Encrypted:false
                                                              SSDEEP:3:yYN:yYN
                                                              MD5:DFC7C11287DD654FD4E905F8490E6813
                                                              SHA1:3B869E06DC55A327E4773BCB3BAF25B9AA142B7B
                                                              SHA-256:277234ED4E56E5D347A0E3549D8DE8BFE0F98DCC58D9F213891EE60ED3BD3668
                                                              SHA-512:B6134B050D683DA8B773ACEA54391EC6E36D5BCF965F85BD918D029529F3A164EFD45D83EDFA1D08F6E1F23E0346E304B1485B9AB97C648A48312592E2753718
                                                              Malicious:true
                                                              Preview:..z..3.H
                                                              Process:C:\Users\user\Desktop\vsQkhWCXxv.exe
                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):1093632
                                                              Entropy (8bit):7.665758507270367
                                                              Encrypted:false
                                                              SSDEEP:24576:SDR/oGw6CEzu7ycumCcFTJScFcWVMoy+x:SDR9w6CfycuMJ0cA
                                                              MD5:FF76DA5616699735C9F7C70BA9E66909
                                                              SHA1:9B0C1BF91BFD6E8E0A1D68F5D0DA2F8ADDAD231D
                                                              SHA-256:EC04EC5840BCAB1B86EC8E2A9D5D8FCBBC687A6235DF0BC416E3CB6B149FAF97
                                                              SHA-512:A78D80C4129769F7A0F70C60FEC6A791D88C2F3C7C89D1C970171B588C6EABE323A44B5D1FE53C4482B7C32F56710F71F45B6718104C68CED05CF54387CC9C08
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: Avira, Detection: 100%
                                                              • Antivirus: Metadefender, Detection: 31%, Browse
                                                              • Antivirus: ReversingLabs, Detection: 61%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b..............0.............6.... ........@.. ....................... ............@.....................................O.................................................................................... ............... ..H............text...<.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H...........0w...........2.. ...........................................^..}.....(.......(.....*.0..+.........,..{.......+....,...{....o........(.....*...(......"...@"..PAs....(.......(......r...p(.......(.....*..0...........(......( ....s......o.....*&.(!.....*...0..9........~.........,".r...p.....("...o#...s$...........~.....+..*....0...........~.....+..*".......*.0..!........(....rW..p~....o%.....t.....+..*....0...........~.....+..*".(&....*Vs....('...t.........*...0......
                                                              Process:C:\Users\user\Desktop\vsQkhWCXxv.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):26
                                                              Entropy (8bit):3.95006375643621
                                                              Encrypted:false
                                                              SSDEEP:3:ggPYV:rPYV
                                                              MD5:187F488E27DB4AF347237FE461A079AD
                                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                              Malicious:true
                                                              Preview:[ZoneTransfer]....ZoneId=0
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):5793
                                                              Entropy (8bit):5.406527687074698
                                                              Encrypted:false
                                                              SSDEEP:96:BZAjLNeDqDo1ZHwZTjLNeDqDo1ZrUK8jZ7jLNeDqDo1ZSZMMkZT:RdzP/
                                                              MD5:703E7E0F3E2622C3EDC9F502016ED9E1
                                                              SHA1:04D252F060DC57DECD2E4E900A3E75B2824B5C88
                                                              SHA-256:C5D97B30E7D27E802121350F8417EA5790BAFECBD8517B661B81A51039B8CA83
                                                              SHA-512:0D8B3E0E6F95A64D2FE54F6459D15A7BEE871F55E4F5034016990DD4985DD0D31FA08DA4B163C2C4AD08F2C4E7628A63FF03AC94B8FD4E4568B02D47E4F08E3A
                                                              Malicious:false
                                                              Preview:.**********************..Windows PowerShell transcript start..Start time: 20220512103130..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 878411 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\vyJCJmhRnRK.exe..Process ID: 1300..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220512103130..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\vyJCJmhRnRK.exe..**********************..Windows PowerShell transcript start..Start time: 20220512103601..Username: computer\user..RunAs User: computer\jo
                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Entropy (8bit):7.665758507270367
                                                              TrID:
                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                              • Windows Screen Saver (13104/52) 0.07%
                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                              File name:vsQkhWCXxv.exe
                                                              File size:1093632
                                                              MD5:ff76da5616699735c9f7c70ba9e66909
                                                              SHA1:9b0c1bf91bfd6e8e0a1d68f5d0da2f8addad231d
                                                              SHA256:ec04ec5840bcab1b86ec8e2a9d5d8fcbbc687a6235df0bc416e3cb6b149faf97
                                                              SHA512:a78d80c4129769f7a0f70c60fec6a791d88c2f3c7c89d1c970171b588c6eabe323a44b5d1fe53c4482b7c32f56710f71f45b6718104c68ced05cf54387cc9c08
                                                              SSDEEP:24576:SDR/oGw6CEzu7ycumCcFTJScFcWVMoy+x:SDR9w6CfycuMJ0cA
                                                              TLSH:51358DE0AB08567FDEB1237AC1B855313EB61D4AA495FF28578E32C84973F8E09D241D
                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b..............0.............6.... ........@.. ....................... ............@................................
                                                              Icon Hash:00828e8e8686b000
                                                              Entrypoint:0x50c336
                                                              Entrypoint Section:.text
                                                              Digitally signed:false
                                                              Imagebase:0x400000
                                                              Subsystem:windows gui
                                                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                              Time Stamp:0x622E9991 [Mon Mar 14 01:25:37 2022 UTC]
                                                              TLS Callbacks:
                                                              CLR (.Net) Version:v4.0.30319
                                                              OS Version Major:4
                                                              OS Version Minor:0
                                                              File Version Major:4
                                                              File Version Minor:0
                                                              Subsystem Version Major:4
                                                              Subsystem Version Minor:0
                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                                              Instruction
                                                              jmp dword ptr [00402000h]
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              NameVirtual AddressVirtual Size Is in Section
                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x10c2e40x4f.text
                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x10e0000x614.rsrc
                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x1100000xc.reloc
                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                              .text0x20000x10a33c0x10a400False0.783547901995data7.670144875IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                              .rsrc0x10e0000x6140x800False0.33349609375data3.48672712067IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .reloc0x1100000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                              NameRVASizeTypeLanguageCountry
                                                              RT_VERSION0x10e0900x384data
                                                              RT_MANIFEST0x10e4240x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                              DLLImport
                                                              mscoree.dll_CorExeMain
                                                              DescriptionData
                                                              Translation0x0000 0x04b0
                                                              LegalCopyrightCopyright 2018
                                                              Assembly Version1.0.0.0
                                                              InternalNameRSAPKCS1SHA256SignatureDescript.exe
                                                              FileVersion1.0.0.0
                                                              CompanyNameMicrosoft
                                                              LegalTrademarks
                                                              Comments
                                                              ProductNameAuto Jack
                                                              ProductVersion1.0.0.0
                                                              FileDescriptionAuto Jack
                                                              OriginalFilenameRSAPKCS1SHA256SignatureDescript.exe
                                                              TimestampSource PortDest PortSource IPDest IP
                                                              May 12, 2022 10:31:41.443510056 CEST4976831788192.168.2.4185.140.53.3
                                                              May 12, 2022 10:31:41.647921085 CEST3178849768185.140.53.3192.168.2.4
                                                              May 12, 2022 10:31:42.158616066 CEST4976831788192.168.2.4185.140.53.3
                                                              May 12, 2022 10:31:42.353931904 CEST3178849768185.140.53.3192.168.2.4
                                                              May 12, 2022 10:31:42.861835003 CEST4976831788192.168.2.4185.140.53.3
                                                              May 12, 2022 10:31:43.080113888 CEST3178849768185.140.53.3192.168.2.4
                                                              May 12, 2022 10:31:47.861615896 CEST4976931788192.168.2.4185.140.53.3
                                                              May 12, 2022 10:31:48.078548908 CEST3178849769185.140.53.3192.168.2.4
                                                              May 12, 2022 10:31:48.706176043 CEST4976931788192.168.2.4185.140.53.3
                                                              May 12, 2022 10:31:48.919456005 CEST3178849769185.140.53.3192.168.2.4
                                                              May 12, 2022 10:31:49.612406969 CEST4976931788192.168.2.4185.140.53.3
                                                              May 12, 2022 10:31:49.817852020 CEST3178849769185.140.53.3192.168.2.4
                                                              May 12, 2022 10:31:54.555962086 CEST4977031788192.168.2.4185.140.53.3
                                                              May 12, 2022 10:31:54.756643057 CEST3178849770185.140.53.3192.168.2.4
                                                              May 12, 2022 10:31:55.362884998 CEST4977031788192.168.2.4185.140.53.3
                                                              May 12, 2022 10:31:55.566855907 CEST3178849770185.140.53.3192.168.2.4
                                                              May 12, 2022 10:31:56.175672054 CEST4977031788192.168.2.4185.140.53.3
                                                              May 12, 2022 10:31:56.397176981 CEST3178849770185.140.53.3192.168.2.4
                                                              May 12, 2022 10:32:00.578315020 CEST4977331788192.168.2.484.38.129.53
                                                              May 12, 2022 10:32:03.676088095 CEST4977331788192.168.2.484.38.129.53
                                                              May 12, 2022 10:32:09.676594973 CEST4977331788192.168.2.484.38.129.53
                                                              May 12, 2022 10:32:19.841871977 CEST4977931788192.168.2.484.38.129.53
                                                              May 12, 2022 10:32:22.865271091 CEST4977931788192.168.2.484.38.129.53
                                                              May 12, 2022 10:32:28.865794897 CEST4977931788192.168.2.484.38.129.53
                                                              May 12, 2022 10:32:39.639579058 CEST4978131788192.168.2.484.38.129.53
                                                              May 12, 2022 10:32:42.773185015 CEST4978131788192.168.2.484.38.129.53
                                                              May 12, 2022 10:32:48.773736954 CEST4978131788192.168.2.484.38.129.53
                                                              May 12, 2022 10:32:57.213046074 CEST4979531788192.168.2.4185.140.53.3
                                                              May 12, 2022 10:32:57.434855938 CEST3178849795185.140.53.3192.168.2.4
                                                              May 12, 2022 10:32:57.961960077 CEST4979531788192.168.2.4185.140.53.3
                                                              May 12, 2022 10:32:58.164561033 CEST3178849795185.140.53.3192.168.2.4
                                                              May 12, 2022 10:32:58.665092945 CEST4979531788192.168.2.4185.140.53.3
                                                              May 12, 2022 10:32:58.866548061 CEST3178849795185.140.53.3192.168.2.4
                                                              May 12, 2022 10:33:02.986813068 CEST4981731788192.168.2.4185.140.53.3
                                                              May 12, 2022 10:33:03.188015938 CEST3178849817185.140.53.3192.168.2.4
                                                              May 12, 2022 10:33:03.696804047 CEST4981731788192.168.2.4185.140.53.3
                                                              May 12, 2022 10:33:03.914177895 CEST3178849817185.140.53.3192.168.2.4
                                                              May 12, 2022 10:33:04.415616989 CEST4981731788192.168.2.4185.140.53.3
                                                              May 12, 2022 10:33:04.644908905 CEST3178849817185.140.53.3192.168.2.4
                                                              May 12, 2022 10:33:08.671421051 CEST4981831788192.168.2.4185.140.53.3
                                                              May 12, 2022 10:33:08.871973038 CEST3178849818185.140.53.3192.168.2.4
                                                              May 12, 2022 10:33:09.541074038 CEST4981831788192.168.2.4185.140.53.3
                                                              May 12, 2022 10:33:09.746056080 CEST3178849818185.140.53.3192.168.2.4
                                                              May 12, 2022 10:33:10.338000059 CEST4981831788192.168.2.4185.140.53.3
                                                              May 12, 2022 10:33:10.547224998 CEST3178849818185.140.53.3192.168.2.4
                                                              TimestampSource PortDest PortSource IPDest IP
                                                              May 12, 2022 10:31:41.317061901 CEST6075853192.168.2.48.8.8.8
                                                              May 12, 2022 10:31:41.425947905 CEST53607588.8.8.8192.168.2.4
                                                              May 12, 2022 10:31:47.738454103 CEST6064753192.168.2.48.8.8.8
                                                              May 12, 2022 10:31:47.848288059 CEST53606478.8.8.8192.168.2.4
                                                              May 12, 2022 10:31:54.446476936 CEST6490953192.168.2.48.8.8.8
                                                              May 12, 2022 10:31:54.553020000 CEST53649098.8.8.8192.168.2.4
                                                              May 12, 2022 10:32:00.555375099 CEST5650953192.168.2.48.8.8.8
                                                              May 12, 2022 10:32:00.574847937 CEST53565098.8.8.8192.168.2.4
                                                              May 12, 2022 10:32:19.817687035 CEST5774753192.168.2.48.8.8.8
                                                              May 12, 2022 10:32:19.838841915 CEST53577478.8.8.8192.168.2.4
                                                              May 12, 2022 10:32:39.620493889 CEST5817153192.168.2.48.8.8.8
                                                              May 12, 2022 10:32:39.637758017 CEST53581718.8.8.8192.168.2.4
                                                              May 12, 2022 10:32:57.095071077 CEST5167953192.168.2.48.8.8.8
                                                              May 12, 2022 10:32:57.204433918 CEST53516798.8.8.8192.168.2.4
                                                              May 12, 2022 10:33:02.872683048 CEST5881653192.168.2.48.8.8.8
                                                              May 12, 2022 10:33:02.982228041 CEST53588168.8.8.8192.168.2.4
                                                              May 12, 2022 10:33:08.651254892 CEST5643753192.168.2.48.8.8.8
                                                              May 12, 2022 10:33:08.670778036 CEST53564378.8.8.8192.168.2.4
                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                              May 12, 2022 10:31:41.317061901 CEST192.168.2.48.8.8.80xc1baStandard query (0)ella666.duckdns.orgA (IP address)IN (0x0001)
                                                              May 12, 2022 10:31:47.738454103 CEST192.168.2.48.8.8.80x9415Standard query (0)ella666.duckdns.orgA (IP address)IN (0x0001)
                                                              May 12, 2022 10:31:54.446476936 CEST192.168.2.48.8.8.80x895cStandard query (0)ella666.duckdns.orgA (IP address)IN (0x0001)
                                                              May 12, 2022 10:32:00.555375099 CEST192.168.2.48.8.8.80xfcdaStandard query (0)mikeljack321.ddns.netA (IP address)IN (0x0001)
                                                              May 12, 2022 10:32:19.817687035 CEST192.168.2.48.8.8.80x48e2Standard query (0)mikeljack321.ddns.netA (IP address)IN (0x0001)
                                                              May 12, 2022 10:32:39.620493889 CEST192.168.2.48.8.8.80xae23Standard query (0)mikeljack321.ddns.netA (IP address)IN (0x0001)
                                                              May 12, 2022 10:32:57.095071077 CEST192.168.2.48.8.8.80x6306Standard query (0)ella666.duckdns.orgA (IP address)IN (0x0001)
                                                              May 12, 2022 10:33:02.872683048 CEST192.168.2.48.8.8.80xf208Standard query (0)ella666.duckdns.orgA (IP address)IN (0x0001)
                                                              May 12, 2022 10:33:08.651254892 CEST192.168.2.48.8.8.80x99b9Standard query (0)ella666.duckdns.orgA (IP address)IN (0x0001)
                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                              May 12, 2022 10:31:41.425947905 CEST8.8.8.8192.168.2.40xc1baNo error (0)ella666.duckdns.org185.140.53.3A (IP address)IN (0x0001)
                                                              May 12, 2022 10:31:47.848288059 CEST8.8.8.8192.168.2.40x9415No error (0)ella666.duckdns.org185.140.53.3A (IP address)IN (0x0001)
                                                              May 12, 2022 10:31:54.553020000 CEST8.8.8.8192.168.2.40x895cNo error (0)ella666.duckdns.org185.140.53.3A (IP address)IN (0x0001)
                                                              May 12, 2022 10:32:00.574847937 CEST8.8.8.8192.168.2.40xfcdaNo error (0)mikeljack321.ddns.net84.38.129.53A (IP address)IN (0x0001)
                                                              May 12, 2022 10:32:19.838841915 CEST8.8.8.8192.168.2.40x48e2No error (0)mikeljack321.ddns.net84.38.129.53A (IP address)IN (0x0001)
                                                              May 12, 2022 10:32:39.637758017 CEST8.8.8.8192.168.2.40xae23No error (0)mikeljack321.ddns.net84.38.129.53A (IP address)IN (0x0001)
                                                              May 12, 2022 10:32:57.204433918 CEST8.8.8.8192.168.2.40x6306No error (0)ella666.duckdns.org185.140.53.3A (IP address)IN (0x0001)
                                                              May 12, 2022 10:33:02.982228041 CEST8.8.8.8192.168.2.40xf208No error (0)ella666.duckdns.org185.140.53.3A (IP address)IN (0x0001)
                                                              May 12, 2022 10:33:08.670778036 CEST8.8.8.8192.168.2.40x99b9No error (0)ella666.duckdns.org185.140.53.3A (IP address)IN (0x0001)

                                                              Click to jump to process

                                                              Click to jump to process

                                                              Click to dive into process behavior distribution

                                                              Click to jump to process

                                                              Target ID:0
                                                              Start time:10:30:54
                                                              Start date:12/05/2022
                                                              Path:C:\Users\user\Desktop\vsQkhWCXxv.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\Desktop\vsQkhWCXxv.exe"
                                                              Imagebase:0x6f0000
                                                              File size:1093632 bytes
                                                              MD5 hash:FF76DA5616699735C9F7C70BA9E66909
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Yara matches:
                                                              • Rule: INDICATOR_EXE_Packed_DotNetReactor, Description: Detects executables packed with unregistered version of .NET Reactor, Source: 00000000.00000002.346722851.0000000005340000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.340724952.0000000002BE8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.342641640.0000000003BB9000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.342641640.0000000003BB9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.342641640.0000000003BB9000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.343578588.0000000003DAA000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.343578588.0000000003DAA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.343578588.0000000003DAA000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                              Reputation:low

                                                              Target ID:12
                                                              Start time:10:31:24
                                                              Start date:12/05/2022
                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vyJCJmhRnRK.exe
                                                              Imagebase:0xa90000
                                                              File size:430592 bytes
                                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Reputation:high

                                                              Target ID:13
                                                              Start time:10:31:24
                                                              Start date:12/05/2022
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff647620000
                                                              File size:625664 bytes
                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              Target ID:15
                                                              Start time:10:31:31
                                                              Start date:12/05/2022
                                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vyJCJmhRnRK" /XML "C:\Users\user\AppData\Local\Temp\tmp5508.tmp
                                                              Imagebase:0x9e0000
                                                              File size:185856 bytes
                                                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              Target ID:16
                                                              Start time:10:31:32
                                                              Start date:12/05/2022
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff647620000
                                                              File size:625664 bytes
                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              Target ID:17
                                                              Start time:10:31:33
                                                              Start date:12/05/2022
                                                              Path:C:\Users\user\Desktop\vsQkhWCXxv.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:C:\Users\user\Desktop\vsQkhWCXxv.exe
                                                              Imagebase:0x790000
                                                              File size:1093632 bytes
                                                              MD5 hash:FF76DA5616699735C9F7C70BA9E66909
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Yara matches:
                                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000002.517843994.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.517843994.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.517843994.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000000.334851227.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000000.334851227.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: NanoCore, Description: unknown, Source: 00000011.00000000.334851227.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000002.526264633.0000000005E00000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000011.00000002.526264633.0000000005E00000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.526264633.0000000005E00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                              • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000011.00000002.526264633.0000000005E00000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000000.336072667.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000000.336072667.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: NanoCore, Description: unknown, Source: 00000011.00000000.336072667.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000000.335466598.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000000.335466598.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: NanoCore, Description: unknown, Source: 00000011.00000000.335466598.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000002.525905019.0000000005460000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000011.00000002.525905019.0000000005460000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                              • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000011.00000002.525905019.0000000005460000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.523753940.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000000.337380622.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000000.337380622.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: NanoCore, Description: unknown, Source: 00000011.00000000.337380622.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.524933429.0000000003BD9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.524933429.0000000003BD9000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                              Reputation:low

                                                              Reset < >

                                                                Execution Graph

                                                                Execution Coverage:9.9%
                                                                Dynamic/Decrypted Code Coverage:100%
                                                                Signature Coverage:0%
                                                                Total number of Nodes:13
                                                                Total number of Limit Nodes:4
                                                                execution_graph 3374 7997518 3375 79976a3 3374->3375 3376 799753e 3374->3376 3376->3375 3379 7997798 PostMessageW 3376->3379 3381 7997791 3376->3381 3380 7997804 3379->3380 3380->3376 3382 7997798 PostMessageW 3381->3382 3383 7997804 3382->3383 3383->3376 3384 7997508 3385 79976a3 3384->3385 3386 799753e 3384->3386 3386->3385 3387 7997798 PostMessageW 3386->3387 3388 7997791 PostMessageW 3386->3388 3387->3386 3388->3386

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 0 7997791-7997802 PostMessageW 2 799780b-799781f 0->2 3 7997804-799780a 0->3 3->2
                                                                APIs
                                                                • PostMessageW.USER32(?,?,?,?), ref: 079977F5
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.348392256.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7990000_vsQkhWCXxv.jbxd
                                                                Similarity
                                                                • API ID: MessagePost
                                                                • String ID:
                                                                • API String ID: 410705778-0
                                                                • Opcode ID: 5ddd9b91de3d505595dbc787bd33ea25d7f4e104d240879aec0ed15cd3cbda25
                                                                • Instruction ID: eac40094351b39efdf57baf2301bdabe5d7739c25e4b92efe0c46be790598db5
                                                                • Opcode Fuzzy Hash: 5ddd9b91de3d505595dbc787bd33ea25d7f4e104d240879aec0ed15cd3cbda25
                                                                • Instruction Fuzzy Hash: 6B1103B58003499FDB20CF99D988BDEBBF8EB48324F10885AE514A7600C375A984CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 5 7997798-7997802 PostMessageW 6 799780b-799781f 5->6 7 7997804-799780a 5->7 7->6
                                                                APIs
                                                                • PostMessageW.USER32(?,?,?,?), ref: 079977F5
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.348392256.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7990000_vsQkhWCXxv.jbxd
                                                                Similarity
                                                                • API ID: MessagePost
                                                                • String ID:
                                                                • API String ID: 410705778-0
                                                                • Opcode ID: e03a1790221f80b26e3af1d2f3232dc244378af870c325dea0ed723551168a66
                                                                • Instruction ID: 736a7262fabbea4fd1c3194dabe2f465cb5a688f981d781d8c2ff2fe4b6ab9cc
                                                                • Opcode Fuzzy Hash: e03a1790221f80b26e3af1d2f3232dc244378af870c325dea0ed723551168a66
                                                                • Instruction Fuzzy Hash: 1511D3B58003499FDB20CF99C988BDEBBF8EB48324F148859D514A7600C375A944CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.348392256.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7990000_vsQkhWCXxv.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID: 0-3916222277
                                                                • Opcode ID: 5df28d9b646fc39637b1f56bb59642d265d501a79dfaf66d3a9cda82192a4236
                                                                • Instruction ID: 1debc555d9a20edebb5b2b76c8be8108e8191adce40a86548e18495aaac307b3
                                                                • Opcode Fuzzy Hash: 5df28d9b646fc39637b1f56bb59642d265d501a79dfaf66d3a9cda82192a4236
                                                                • Instruction Fuzzy Hash: CD12CEB4E00219CFEF14CFA9D984AEEBBF6BF88314F148169D909A7255D734A991CF10
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.348392256.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7990000_vsQkhWCXxv.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID: 0-3916222277
                                                                • Opcode ID: defd7940b64d71b14d042097ddd1ef40faaf4ccebd0e8d9a82c27a62beba0107
                                                                • Instruction ID: 25f9b38412810128e2829d5703d2fd7c8031936297a86938105d494aef58d383
                                                                • Opcode Fuzzy Hash: defd7940b64d71b14d042097ddd1ef40faaf4ccebd0e8d9a82c27a62beba0107
                                                                • Instruction Fuzzy Hash: E761B0B5E05218CFDB58CFAAC8407DEBBF6AF88304F04C0AAD518A7255DB345A95CF51
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.348392256.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7990000_vsQkhWCXxv.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: {
                                                                • API String ID: 0-366298937
                                                                • Opcode ID: 7b23f7082c2be77d3109baf897cd6843217afaf2dad200d6692ffef366800fa5
                                                                • Instruction ID: 6c6aa5cf67aa668431c498b2a4d92794a4f72e049bca4031e5020536e4eea0e3
                                                                • Opcode Fuzzy Hash: 7b23f7082c2be77d3109baf897cd6843217afaf2dad200d6692ffef366800fa5
                                                                • Instruction Fuzzy Hash: 333142B1E056198BEB5CCF6B8D4069EFAF7AFC9204F14C1BA840CAA264DB341646CF11
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.348392256.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7990000_vsQkhWCXxv.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bfbeb2f85f2d29c74a20194331260d8180f26a7cc8269e2803c6536472132765
                                                                • Instruction ID: 6444884bae128055acee7a573cb7ef808dd674ece8d9fbc878e94d775070f9c8
                                                                • Opcode Fuzzy Hash: bfbeb2f85f2d29c74a20194331260d8180f26a7cc8269e2803c6536472132765
                                                                • Instruction Fuzzy Hash: C041EFB2D057548FEB1ACF6B9C4069ABFF7AFCA210F18C0BAD4489A125DB350A45CF51
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Execution Graph

                                                                Execution Coverage:11.8%
                                                                Dynamic/Decrypted Code Coverage:100%
                                                                Signature Coverage:0%
                                                                Total number of Nodes:56
                                                                Total number of Limit Nodes:3
                                                                execution_graph 2982 6442ad0 2983 6442ad9 2982->2983 2987 6442b10 2983->2987 2992 6442b20 2983->2992 2984 6442b0a 2988 6442b2c 2987->2988 2997 6442b58 2988->2997 3002 6442b49 2988->3002 2989 6442b3c 2989->2984 2993 6442b25 2992->2993 2995 6442b58 DnsQuery_A 2993->2995 2996 6442b49 DnsQuery_A 2993->2996 2994 6442b3c 2994->2984 2995->2994 2996->2994 2998 6442b76 2997->2998 2999 6442bad 2998->2999 3007 6442c60 2998->3007 3011 6442c51 2998->3011 2999->2989 3003 6442b58 3002->3003 3004 6442bad 3003->3004 3005 6442c60 DnsQuery_A 3003->3005 3006 6442c51 DnsQuery_A 3003->3006 3004->2989 3005->3004 3006->3004 3008 6442c89 3007->3008 3015 644189c 3008->3015 3012 6442c60 3011->3012 3013 644189c DnsQuery_A 3012->3013 3014 6442cca 3013->3014 3014->2999 3016 6442ed8 DnsQuery_A 3015->3016 3018 6443012 3016->3018 3031 6442ac0 3032 6442ad9 3031->3032 3034 6442b10 DnsQuery_A 3032->3034 3035 6442b20 DnsQuery_A 3032->3035 3033 6442b0a 3034->3033 3035->3033 3050 6440b90 3051 6440be3 3050->3051 3052 6440c4f GetCurrentThreadId 3051->3052 3053 6440c1f 3051->3053 3052->3053 3053->3053 3019 6442e11 3020 6442e3e 3019->3020 3022 6442e52 3019->3022 3021 6442e90 3022->3021 3023 6442fbf DnsQuery_A 3022->3023 3024 6443012 3023->3024 3040 6440b81 3041 6440b90 3040->3041 3042 6440c4f GetCurrentThreadId 3041->3042 3043 6440c1f 3041->3043 3042->3043 3036 6442ecc 3037 6442ed1 DnsQuery_A 3036->3037 3039 6443012 3037->3039 3044 6442a89 3045 6442aea 3044->3045 3046 6442a92 3044->3046 3048 6442b10 DnsQuery_A 3045->3048 3049 6442b20 DnsQuery_A 3045->3049 3047 6442b0a 3048->3047 3049->3047

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 28 6442e20-6442e3c 29 6442e52-6442eb3 28->29 30 6442e3e-6442e4f 28->30 39 6442e90-6442ebf 29->39 40 6442ec1-6442f4b 29->40 46 6442f84-6442fb7 40->46 47 6442f4d-6442f57 40->47 55 6442fbf-6443010 DnsQuery_A 46->55 47->46 48 6442f59-6442f5b 47->48 51 6442f5d-6442f67 48->51 52 6442f7e-6442f81 48->52 53 6442f69 51->53 54 6442f6b-6442f7a 51->54 52->46 53->54 54->54 56 6442f7c 54->56 57 6443012-6443018 55->57 58 6443019-6443066 55->58 56->52 57->58 63 6443076-644307a 58->63 64 6443068-644306c 58->64 66 644307c-644307f 63->66 67 6443089-644308d 63->67 64->63 65 644306e 64->65 65->63 66->67 68 644309e 67->68 69 644308f-644309b 67->69 71 644309f 68->71 69->68 71->71
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.526571842.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_17_2_6440000_vsQkhWCXxv.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: da76567b5c83737084dc9a4d6ffbc745a2ea9d6cba6af0afa3c4183f5c65d5e2
                                                                • Instruction ID: 859a85386ddb297081b5157b2995e323e6d75122e2909ffd2b241b2d060033c0
                                                                • Opcode Fuzzy Hash: da76567b5c83737084dc9a4d6ffbc745a2ea9d6cba6af0afa3c4183f5c65d5e2
                                                                • Instruction Fuzzy Hash: EF817871D042099FEB15DFA9C8857EEFBB1FF49304F20852AE905AB310DB749A46CB91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 72 6442ecc-6442f4b 76 6442f84-6442fb7 72->76 77 6442f4d-6442f57 72->77 84 6442fbf-6443010 DnsQuery_A 76->84 77->76 78 6442f59-6442f5b 77->78 80 6442f5d-6442f67 78->80 81 6442f7e-6442f81 78->81 82 6442f69 80->82 83 6442f6b-6442f7a 80->83 81->76 82->83 83->83 85 6442f7c 83->85 86 6443012-6443018 84->86 87 6443019-6443066 84->87 85->81 86->87 92 6443076-644307a 87->92 93 6443068-644306c 87->93 95 644307c-644307f 92->95 96 6443089-644308d 92->96 93->92 94 644306e 93->94 94->92 95->96 97 644309e 96->97 98 644308f-644309b 96->98 100 644309f 97->100 98->97 100->100
                                                                APIs
                                                                • DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06443000
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.526571842.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_17_2_6440000_vsQkhWCXxv.jbxd
                                                                Similarity
                                                                • API ID: Query_
                                                                • String ID:
                                                                • API String ID: 428220571-0
                                                                • Opcode ID: 94a7f572972db3c401ed6f86ec43d7736e18b2b5d48a79554130e69a98ef23dd
                                                                • Instruction ID: 49e22e9a1536cfb857a26b10934b432e0c0178f55d4ce059de93e691f6bed74b
                                                                • Opcode Fuzzy Hash: 94a7f572972db3c401ed6f86ec43d7736e18b2b5d48a79554130e69a98ef23dd
                                                                • Instruction Fuzzy Hash: 0D5145B1D006089FEB11DFA9C8817DEBBB1FF49304F14852AE814AB244CB749986CF90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 101 644189c-6442f4b 104 6442f84-6443010 DnsQuery_A 101->104 105 6442f4d-6442f57 101->105 114 6443012-6443018 104->114 115 6443019-6443066 104->115 105->104 106 6442f59-6442f5b 105->106 108 6442f5d-6442f67 106->108 109 6442f7e-6442f81 106->109 110 6442f69 108->110 111 6442f6b-6442f7a 108->111 109->104 110->111 111->111 113 6442f7c 111->113 113->109 114->115 120 6443076-644307a 115->120 121 6443068-644306c 115->121 123 644307c-644307f 120->123 124 6443089-644308d 120->124 121->120 122 644306e 121->122 122->120 123->124 125 644309e 124->125 126 644308f-644309b 124->126 128 644309f 125->128 126->125 128->128
                                                                APIs
                                                                • DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06443000
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.526571842.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_17_2_6440000_vsQkhWCXxv.jbxd
                                                                Similarity
                                                                • API ID: Query_
                                                                • String ID:
                                                                • API String ID: 428220571-0
                                                                • Opcode ID: b00e158031d795bdf8bdcb8e2d42fe9fe54b739d6b257deb895e72953ea61544
                                                                • Instruction ID: 63abd32a3f67cfdba8fbb51bc697ad0064d29e291c5e6d5a805118b7443f37b3
                                                                • Opcode Fuzzy Hash: b00e158031d795bdf8bdcb8e2d42fe9fe54b739d6b257deb895e72953ea61544
                                                                • Instruction Fuzzy Hash: 4C513371D0060C9FEB15DFA9C8857DEBBB1FF49304F24852AE805AB244DBB49986CF90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%