Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
jc1NVSdAkP.exe

Overview

General Information

Sample Name:jc1NVSdAkP.exe
Analysis ID:626606
MD5:4ae230eae2ec7bb0cfe6f9069616421e
SHA1:2439307f4a8b2d0938ab5bf480a0b12da403933b
SHA256:5f22cd86922fc0dfff33f6d9906291e50d12259b86e5a8bc804b6945ca7e994e
Tags:exenjratRAT
Infos:

Detection

Njrat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Yara detected Njrat
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Uses netsh to modify the Windows network and firewall settings
Machine Learning detection for sample
.NET source code contains potential unpacker
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Modifies the windows firewall
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • jc1NVSdAkP.exe (PID: 6296 cmdline: "C:\Users\user\Desktop\jc1NVSdAkP.exe" MD5: 4AE230EAE2EC7BB0CFE6F9069616421E)
    • sytesnet.exe (PID: 6704 cmdline: "C:\Users\user\AppData\Roaming\sytesnet.exe" MD5: 4AE230EAE2EC7BB0CFE6F9069616421E)
      • netsh.exe (PID: 6340 cmdline: netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\sytesnet.exe" "sytesnet.exe" ENABLE MD5: 98CC37BBF363A38834253E22C80A8F32)
        • conhost.exe (PID: 5984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Njrat

{"Campaign ID": "Deep==2020", "Version": "0.7d", "Install Name": "sytesnet.exe", "Install Dir": "AppData", "Registry Value": "8336fcc4e4035f156be83ac267209dbd", "Host": "volkatv500.sytes.net", "Port": "999", "Network Seprator": "|'|'|", "Install Flag": "False"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.297921919.000000001BE00000.00000004.08000000.00040000.00000000.sdmpCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
  • 0x4d4e:$x1: cmd.exe /c ping 0 -n 2 & del "
  • 0x4ea6:$s3: Executed As
  • 0x4e88:$s6: Download ERROR
00000000.00000002.297921919.000000001BE00000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
    00000000.00000002.297921919.000000001BE00000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_NjRATDetects NjRAT / BladabindiditekSHen
    • 0x4ce0:$s1: netsh firewall delete allowedprogram
    • 0x4dbc:$s2: netsh firewall add allowedprogram
    • 0x4d4e:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67
    • 0x4e64:$s4: Execute ERROR
    • 0x4ec0:$s4: Execute ERROR
    • 0x4e88:$s5: Download ERROR
    • 0x4fec:$s6: [kl]
    00000000.00000002.297921919.000000001BE00000.00000004.08000000.00040000.00000000.sdmpnjrat1Identify njRatBrian Wallace @botnet_hunter
    • 0x4dbc:$a1: netsh firewall add allowedprogram
    • 0x4d8c:$a2: SEE_MASK_NOZONECHECKS
    • 0x5036:$b1: [TAP]
    • 0x4d4e:$c3: cmd.exe /c ping
    00000000.00000002.297921919.000000001BE00000.00000004.08000000.00040000.00000000.sdmpNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
    • 0x4d8c:$reg: SEE_MASK_NOZONECHECKS
    • 0x4e64:$msg: Execute ERROR
    • 0x4ec0:$msg: Execute ERROR
    • 0x4d4e:$ping: cmd.exe /c ping 0 -n 2 & del
    Click to see the 5 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    0.2.jc1NVSdAkP.exe.1be00000.5.raw.unpackCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
    • 0x4d4e:$x1: cmd.exe /c ping 0 -n 2 & del "
    • 0x4ea6:$s3: Executed As
    • 0x4e88:$s6: Download ERROR
    0.2.jc1NVSdAkP.exe.1be00000.5.raw.unpackJoeSecurity_NjratYara detected NjratJoe Security
      0.2.jc1NVSdAkP.exe.1be00000.5.raw.unpackMALWARE_Win_NjRATDetects NjRAT / BladabindiditekSHen
      • 0x4ce0:$s1: netsh firewall delete allowedprogram
      • 0x4dbc:$s2: netsh firewall add allowedprogram
      • 0x4d4e:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67
      • 0x4e64:$s4: Execute ERROR
      • 0x4ec0:$s4: Execute ERROR
      • 0x4e88:$s5: Download ERROR
      • 0x4fec:$s6: [kl]
      0.2.jc1NVSdAkP.exe.1be00000.5.raw.unpacknjrat1Identify njRatBrian Wallace @botnet_hunter
      • 0x4dbc:$a1: netsh firewall add allowedprogram
      • 0x4d8c:$a2: SEE_MASK_NOZONECHECKS
      • 0x5036:$b1: [TAP]
      • 0x4d4e:$c3: cmd.exe /c ping
      0.2.jc1NVSdAkP.exe.1be00000.5.raw.unpackNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
      • 0x4d8c:$reg: SEE_MASK_NOZONECHECKS
      • 0x4e64:$msg: Execute ERROR
      • 0x4ec0:$msg: Execute ERROR
      • 0x4d4e:$ping: cmd.exe /c ping 0 -n 2 & del
      Click to see the 14 entries

      Sigma Signatures

      No Sigma rule has matched

      Snort Signatures

      Timestamp:192.168.2.341.103.180.209497519992814856 05/14/22-15:39:01.814335
      SID:2814856
      Source Port:49751
      Destination Port:999
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.341.103.180.209497519992825563 05/14/22-15:39:01.814335
      SID:2825563
      Source Port:49751
      Destination Port:999
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.341.103.180.209497519992033132 05/14/22-15:39:01.539928
      SID:2033132
      Source Port:49751
      Destination Port:999
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.341.103.180.209497519992825564 05/14/22-15:39:06.382536
      SID:2825564
      Source Port:49751
      Destination Port:999
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.341.103.180.209497519992814860 05/14/22-15:39:06.382536
      SID:2814860
      Source Port:49751
      Destination Port:999
      Protocol:TCP
      Classtype:A Network Trojan was detected

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Found malware configuration
      Source: 0.2.jc1NVSdAkP.exe.326b270.1.raw.unpackMalware Configuration Extractor: Njrat {"Campaign ID": "Deep==2020", "Version": "0.7d", "Install Name": "sytesnet.exe", "Install Dir": "AppData", "Registry Value": "8336fcc4e4035f156be83ac267209dbd", "Host": "volkatv500.sytes.net", "Port": "999", "Network Seprator": "|'|'|", "Install Flag": "False"}
      Multi AV Scanner detection for submitted file
      Source: jc1NVSdAkP.exeVirustotal: Detection: 63%Perma Link
      Source: jc1NVSdAkP.exeMetadefender: Detection: 26%Perma Link
      Source: jc1NVSdAkP.exeReversingLabs: Detection: 60%
      Yara detected Njrat
      Source: Yara matchFile source: 0.2.jc1NVSdAkP.exe.1be00000.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.jc1NVSdAkP.exe.326b270.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.jc1NVSdAkP.exe.1be00000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.jc1NVSdAkP.exe.326b270.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000000.00000002.297921919.000000001BE00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.293369368.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: jc1NVSdAkP.exe PID: 6296, type: MEMORYSTR
      Antivirus / Scanner detection for submitted sample
      Source: jc1NVSdAkP.exeAvira: detected
      Antivirus detection for URL or domain
      Source: volkatv500.sytes.netAvira URL Cloud: Label: malware
      Multi AV Scanner detection for domain / URL
      Source: volkatv500.sytes.netVirustotal: Detection: 10%Perma Link
      Source: volkatv500.sytes.netVirustotal: Detection: 10%Perma Link
      Antivirus detection for dropped file
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeAvira: detection malicious, Label: TR/Dropper.Gen
      Multi AV Scanner detection for dropped file
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeVirustotal: Detection: 63%Perma Link
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeMetadefender: Detection: 26%Perma Link
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeReversingLabs: Detection: 60%
      Machine Learning detection for sample
      Source: jc1NVSdAkP.exeJoe Sandbox ML: detected
      Machine Learning detection for dropped file
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeJoe Sandbox ML: detected
      Source: 0.0.jc1NVSdAkP.exe.c80000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 5.0.sytesnet.exe.e0000.1.unpackAvira: Label: TR/Dropper.Gen
      Source: 5.0.sytesnet.exe.e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 5.0.sytesnet.exe.e0000.2.unpackAvira: Label: TR/Dropper.Gen

      Compliance

      barindex
      Detected unpacking (overwrites its own PE header)
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeUnpacked PE file: 0.2.jc1NVSdAkP.exe.c80000.0.unpack
      Source: jc1NVSdAkP.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeFile opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dll
      Source: jc1NVSdAkP.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: c:\users\rdp-g41\documents\visual studio 2012\Projects\WindowsApplication14\WindowsApplication14\obj\Debug\WindowsApplication14.pdb source: jc1NVSdAkP.exe, sytesnet.exe.0.dr
      Source: Binary string: c:\users\rdp-g41\documents\visual studio 2012\Projects\WindowsApplication14\WindowsApplication14\obj\Debug\WindowsApplication14.pdbBSJB source: jc1NVSdAkP.exe, sytesnet.exe.0.dr
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeCode function: 4x nop then jmp 00007FFC0112863Ah

      Networking

      barindex
      Snort IDS alert for network traffic
      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49751 -> 41.103.180.209:999
      Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.3:49751 -> 41.103.180.209:999
      Source: TrafficSnort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.3:49751 -> 41.103.180.209:999
      Source: TrafficSnort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.3:49751 -> 41.103.180.209:999
      Source: TrafficSnort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.3:49751 -> 41.103.180.209:999
      C2 URLs / IPs found in malware configuration
      Source: Malware configuration extractorURLs: volkatv500.sytes.net
      Source: Joe Sandbox ViewASN Name: ALGTEL-ASDZ ALGTEL-ASDZ
      Source: global trafficTCP traffic: 192.168.2.3:49751 -> 41.103.180.209:999
      Source: jc1NVSdAkP.exe, 00000000.00000003.256656239.000000001BF6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://en.w
      Source: jc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
      Source: jc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: jc1NVSdAkP.exe, 00000000.00000003.261828407.000000001BF6F000.00000004.00000020.00020000.00000000.sdmp, jc1NVSdAkP.exe, 00000000.00000003.261768881.000000001BF70000.00000004.00000020.00020000.00000000.sdmp, jc1NVSdAkP.exe, 00000000.00000003.261853022.000000001BF70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
      Source: jc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: jc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: jc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmp, jc1NVSdAkP.exe, 00000000.00000002.293306717.0000000001705000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: jc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: jc1NVSdAkP.exe, 00000000.00000003.264295560.000000001BF70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
      Source: jc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: jc1NVSdAkP.exe, 00000000.00000003.263865875.000000001BF71000.00000004.00000020.00020000.00000000.sdmp, jc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: jc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: jc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: jc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: jc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
      Source: jc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: jc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: jc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: jc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: jc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: jc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: jc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: jc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: jc1NVSdAkP.exe, 00000000.00000003.262067529.000000001BF70000.00000004.00000020.00020000.00000000.sdmp, jc1NVSdAkP.exe, 00000000.00000003.261981088.000000001BF71000.00000004.00000020.00020000.00000000.sdmp, jc1NVSdAkP.exe, 00000000.00000003.261816363.000000001BF75000.00000004.00000020.00020000.00000000.sdmp, jc1NVSdAkP.exe, 00000000.00000003.261768881.000000001BF70000.00000004.00000020.00020000.00000000.sdmp, jc1NVSdAkP.exe, 00000000.00000003.261853022.000000001BF70000.00000004.00000020.00020000.00000000.sdmp, jc1NVSdAkP.exe, 00000000.00000003.261933692.000000001BF6F000.00000004.00000020.00020000.00000000.sdmp, jc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmp, jc1NVSdAkP.exe, 00000000.00000003.262105808.000000001BF76000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
      Source: jc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: jc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
      Source: jc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
      Source: jc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: jc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: unknownDNS traffic detected: queries for: volkatv500.sytes.net

      E-Banking Fraud

      barindex
      Yara detected Njrat
      Source: Yara matchFile source: 0.2.jc1NVSdAkP.exe.1be00000.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.jc1NVSdAkP.exe.326b270.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.jc1NVSdAkP.exe.1be00000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.jc1NVSdAkP.exe.326b270.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000000.00000002.297921919.000000001BE00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.293369368.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: jc1NVSdAkP.exe PID: 6296, type: MEMORYSTR

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 0.2.jc1NVSdAkP.exe.1be00000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
      Source: 0.2.jc1NVSdAkP.exe.1be00000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
      Source: 0.2.jc1NVSdAkP.exe.1be00000.5.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
      Source: 0.2.jc1NVSdAkP.exe.1be00000.5.raw.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
      Source: 0.2.jc1NVSdAkP.exe.326b270.1.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
      Source: 0.2.jc1NVSdAkP.exe.326b270.1.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
      Source: 0.2.jc1NVSdAkP.exe.326b270.1.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
      Source: 0.2.jc1NVSdAkP.exe.326b270.1.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
      Source: 0.2.jc1NVSdAkP.exe.1be00000.5.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
      Source: 0.2.jc1NVSdAkP.exe.1be00000.5.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
      Source: 0.2.jc1NVSdAkP.exe.1be00000.5.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
      Source: 0.2.jc1NVSdAkP.exe.1be00000.5.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
      Source: 0.2.jc1NVSdAkP.exe.326b270.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
      Source: 0.2.jc1NVSdAkP.exe.326b270.1.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
      Source: 0.2.jc1NVSdAkP.exe.326b270.1.raw.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
      Source: 00000000.00000002.297921919.000000001BE00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
      Source: 00000000.00000002.297921919.000000001BE00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
      Source: 00000000.00000002.297921919.000000001BE00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
      Source: 00000000.00000002.297921919.000000001BE00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
      Source: 00000000.00000002.293369368.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
      Source: 00000000.00000002.293369368.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
      Source: jc1NVSdAkP.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
      Source: 0.2.jc1NVSdAkP.exe.1be00000.5.raw.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.jc1NVSdAkP.exe.1be00000.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
      Source: 0.2.jc1NVSdAkP.exe.1be00000.5.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
      Source: 0.2.jc1NVSdAkP.exe.1be00000.5.raw.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
      Source: 0.2.jc1NVSdAkP.exe.326b270.1.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.jc1NVSdAkP.exe.326b270.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
      Source: 0.2.jc1NVSdAkP.exe.326b270.1.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
      Source: 0.2.jc1NVSdAkP.exe.326b270.1.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
      Source: 0.2.jc1NVSdAkP.exe.1be00000.5.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.jc1NVSdAkP.exe.1be00000.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
      Source: 0.2.jc1NVSdAkP.exe.1be00000.5.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
      Source: 0.2.jc1NVSdAkP.exe.1be00000.5.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
      Source: 0.2.jc1NVSdAkP.exe.326b270.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
      Source: 0.2.jc1NVSdAkP.exe.326b270.1.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
      Source: 0.2.jc1NVSdAkP.exe.326b270.1.raw.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
      Source: 00000000.00000002.297921919.000000001BE00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000000.00000002.297921919.000000001BE00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
      Source: 00000000.00000002.297921919.000000001BE00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
      Source: 00000000.00000002.297921919.000000001BE00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
      Source: 00000000.00000002.293369368.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
      Source: 00000000.00000002.293369368.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
      Source: Process Memory Space: jc1NVSdAkP.exe PID: 6296, type: MEMORYSTRMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeFile created: C:\Windows\assembly\Desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeCode function: 0_2_00007FFC0112831D
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeCode function: 0_2_00007FFC01106F2C
      Source: jc1NVSdAkP.exe, 00000000.00000002.294578354.0000000013208000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameResourceAssembly.dllD vs jc1NVSdAkP.exe
      Source: jc1NVSdAkP.exe, 00000000.00000002.297608289.000000001BB50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameResourceAssembly.dllD vs jc1NVSdAkP.exe
      Source: jc1NVSdAkP.exe, 00000000.00000002.295132254.00000000132DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWindowsApplication14.exeH vs jc1NVSdAkP.exe
      Source: jc1NVSdAkP.exe, 00000000.00000002.294548120.00000000131E7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameResourceAssembly.dllD vs jc1NVSdAkP.exe
      Source: jc1NVSdAkP.exe, 00000000.00000002.292580602.0000000000CAA000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWindowsApplication14.exeH vs jc1NVSdAkP.exe
      Source: jc1NVSdAkP.exe, 00000000.00000002.292727508.000000000119D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs jc1NVSdAkP.exe
      Source: jc1NVSdAkP.exe, 00000000.00000002.294633070.0000000013226000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameResourceAssembly.dllD vs jc1NVSdAkP.exe
      Source: jc1NVSdAkP.exeBinary or memory string: OriginalFilenameWindowsApplication14.exeH vs jc1NVSdAkP.exe
      Source: jc1NVSdAkP.exeVirustotal: Detection: 63%
      Source: jc1NVSdAkP.exeMetadefender: Detection: 26%
      Source: jc1NVSdAkP.exeReversingLabs: Detection: 60%
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeFile read: C:\Users\user\Desktop\jc1NVSdAkP.exeJump to behavior
      Source: jc1NVSdAkP.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: unknownProcess created: C:\Users\user\Desktop\jc1NVSdAkP.exe "C:\Users\user\Desktop\jc1NVSdAkP.exe"
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeProcess created: C:\Users\user\AppData\Roaming\sytesnet.exe "C:\Users\user\AppData\Roaming\sytesnet.exe"
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\sytesnet.exe" "sytesnet.exe" ENABLE
      Source: C:\Windows\System32\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeProcess created: C:\Users\user\AppData\Roaming\sytesnet.exe "C:\Users\user\AppData\Roaming\sytesnet.exe"
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\sytesnet.exe" "sytesnet.exe" ENABLE
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeFile created: C:\Users\user\AppData\Roaming\sytesnet.exeJump to behavior
      Source: classification engineClassification label: mal100.troj.evad.winEXE@6/4@1/1
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5984:120:WilError_01
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeMutant created: \Sessions\1\BaseNamedObjects\8336fcc4e4035f156be83ac267209dbd
      Source: jc1NVSdAkP.exe, 00000000.00000003.269620462.000000001BF8A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft Corp.slnt
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeFile written: C:\Windows\assembly\Desktop.iniJump to behavior
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeWindow detected: Number of UI elements: 25
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeWindow detected: Number of UI elements: 25
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeFile opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dll
      Source: jc1NVSdAkP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: jc1NVSdAkP.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: jc1NVSdAkP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: c:\users\rdp-g41\documents\visual studio 2012\Projects\WindowsApplication14\WindowsApplication14\obj\Debug\WindowsApplication14.pdb source: jc1NVSdAkP.exe, sytesnet.exe.0.dr
      Source: Binary string: c:\users\rdp-g41\documents\visual studio 2012\Projects\WindowsApplication14\WindowsApplication14\obj\Debug\WindowsApplication14.pdbBSJB source: jc1NVSdAkP.exe, sytesnet.exe.0.dr

      Data Obfuscation

      barindex
      Detected unpacking (overwrites its own PE header)
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeUnpacked PE file: 0.2.jc1NVSdAkP.exe.c80000.0.unpack
      .NET source code contains potential unpacker
      Source: jc1NVSdAkP.exe, WindowsApplication14/Form1.cs.Net Code: c90412449b6805d4ebcc9863a6b381b57 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
      Source: 0.0.jc1NVSdAkP.exe.c80000.0.unpack, WindowsApplication14/Form1.cs.Net Code: c90412449b6805d4ebcc9863a6b381b57 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
      Source: 0.2.jc1NVSdAkP.exe.c80000.0.unpack, WindowsApplication14/Form1.cs.Net Code: c90412449b6805d4ebcc9863a6b381b57 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
      Source: 5.0.sytesnet.exe.e0000.1.unpack, WindowsApplication14/Form1.cs.Net Code: c90412449b6805d4ebcc9863a6b381b57 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
      Source: 5.0.sytesnet.exe.e0000.0.unpack, WindowsApplication14/Form1.cs.Net Code: c90412449b6805d4ebcc9863a6b381b57 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
      Source: 5.0.sytesnet.exe.e0000.2.unpack, WindowsApplication14/Form1.cs.Net Code: c90412449b6805d4ebcc9863a6b381b57 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
      Source: initial sampleStatic PE information: section name: .text entropy: 7.0671537001
      Source: initial sampleStatic PE information: section name: .text entropy: 7.0671537001
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeFile created: C:\Users\user\AppData\Roaming\sytesnet.exeJump to dropped file
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exe TID: 6316Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeWindow / User API: threadDelayed 2722
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeProcess information queried: ProcessInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeThread delayed: delay time: 922337203685477
      Source: netsh.exe, 0000000F.00000002.345039314.000001D920D26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllqq
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeProcess token adjusted: Debug
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeMemory allocated: page read and write | page guard
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeProcess created: C:\Users\user\AppData\Roaming\sytesnet.exe "C:\Users\user\AppData\Roaming\sytesnet.exe"
      Source: jc1NVSdAkP.exe, 00000000.00000002.294252222.00000000034F6000.00000004.00000800.00020000.00000000.sdmp, jc1NVSdAkP.exe, 00000000.00000002.298370723.000000001C987000.00000004.00000020.00020000.00000000.sdmp, jc1NVSdAkP.exe, 00000000.00000002.293369368.00000000031E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
      Source: jc1NVSdAkP.exe, 00000000.00000002.294252222.00000000034F6000.00000004.00000800.00020000.00000000.sdmp, jc1NVSdAkP.exe, 00000000.00000002.293369368.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, jc1NVSdAkP.exe, 00000000.00000002.294234250.00000000034F2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: program manager
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Users\user\Desktop\jc1NVSdAkP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

      Lowering of HIPS / PFW / Operating System Security Settings

      barindex
      Uses netsh to modify the Windows network and firewall settings
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\sytesnet.exe" "sytesnet.exe" ENABLE
      Modifies the windows firewall
      Source: C:\Users\user\AppData\Roaming\sytesnet.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\sytesnet.exe" "sytesnet.exe" ENABLE

      Stealing of Sensitive Information

      barindex
      Yara detected Njrat
      Source: Yara matchFile source: 0.2.jc1NVSdAkP.exe.1be00000.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.jc1NVSdAkP.exe.326b270.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.jc1NVSdAkP.exe.1be00000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.jc1NVSdAkP.exe.326b270.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000000.00000002.297921919.000000001BE00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.293369368.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: jc1NVSdAkP.exe PID: 6296, type: MEMORYSTR

      Remote Access Functionality

      barindex
      Yara detected Njrat
      Source: Yara matchFile source: 0.2.jc1NVSdAkP.exe.1be00000.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.jc1NVSdAkP.exe.326b270.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.jc1NVSdAkP.exe.1be00000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.jc1NVSdAkP.exe.326b270.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000000.00000002.297921919.000000001BE00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.293369368.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: jc1NVSdAkP.exe PID: 6296, type: MEMORYSTR

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management InstrumentationPath Interception12
      Process Injection      		11
      Masquerading      		OS Credential Dumping11
      Security Software Discovery      		Remote Services1
      Archive Collected Data      		Exfiltration Over Other Network Medium1
      Encrypted Channel      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts21
      Disable or Modify Tools      		LSASS Memory2
      Process Discovery      		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
      Non-Standard Port      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
      Virtualization/Sandbox Evasion      		Security Account Manager21
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
      Non-Application Layer Protocol      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)12
      Process Injection      		NTDS1
      Application Window Discovery      		Distributed Component Object ModelInput CaptureScheduled Transfer11
      Application Layer Protocol      		SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
      Obfuscated Files or Information      		LSA Secrets1
      Remote System Discovery      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.common22
      Software Packing      		Cached Domain Credentials2
      File and Directory Discovery      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync12
      System Information Discovery      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      jc1NVSdAkP.exe64%VirustotalBrowse
      jc1NVSdAkP.exe26%MetadefenderBrowse
      jc1NVSdAkP.exe61%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
      jc1NVSdAkP.exe100%AviraTR/Dropper.Gen
      jc1NVSdAkP.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Roaming\sytesnet.exe100%AviraTR/Dropper.Gen
      C:\Users\user\AppData\Roaming\sytesnet.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Roaming\sytesnet.exe64%VirustotalBrowse
      C:\Users\user\AppData\Roaming\sytesnet.exe26%MetadefenderBrowse
      C:\Users\user\AppData\Roaming\sytesnet.exe61%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      0.0.jc1NVSdAkP.exe.c80000.0.unpack100%AviraTR/Dropper.GenDownload File
      5.0.sytesnet.exe.e0000.1.unpack100%AviraTR/Dropper.GenDownload File
      5.0.sytesnet.exe.e0000.0.unpack100%AviraTR/Dropper.GenDownload File
      5.0.sytesnet.exe.e0000.2.unpack100%AviraTR/Dropper.GenDownload File

      Domains

      SourceDetectionScannerLabelLink
      volkatv500.sytes.net11%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      volkatv500.sytes.net11%VirustotalBrowse
      volkatv500.sytes.net100%Avira URL Cloudmalware
      http://www.tiro.com0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://en.w0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      volkatv500.sytes.net
      		41.103.180.209
      		truetrueunknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      volkatv500.sytes.nettrue
      • 11%, Virustotal, Browse
      • Avira URL Cloud: malware
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://www.apache.org/licenses/LICENSE-2.0jc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://www.fontbureau.comjc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://www.fontbureau.com/designersGjc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://www.fontbureau.com/designers/?jc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://www.founder.com.cn/cn/bThejc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.fontbureau.com/designers?jc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.tiro.comjc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designersjc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmp, jc1NVSdAkP.exe, 00000000.00000002.293306717.0000000001705000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  http://www.goodfont.co.krjc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://en.wjc1NVSdAkP.exe, 00000000.00000003.256656239.000000001BF6F000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.carterandcone.comljc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.sajatypeworks.comjc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.typography.netDjc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers/cabarga.htmlNjc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.founder.com.cn/cn/cThejc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.galapagosdesign.com/staff/dennis.htmjc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://fontfabrik.comjc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cnjc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/frere-jones.htmljc1NVSdAkP.exe, 00000000.00000003.263865875.000000001BF71000.00000004.00000020.00020000.00000000.sdmp, jc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.com/designers/cabarga.htmljc1NVSdAkP.exe, 00000000.00000003.264295560.000000001BF70000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://www.jiyu-kobo.co.jp/jc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.galapagosdesign.com/DPleasejc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers8jc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.ascendercorp.com/typedesigners.htmljc1NVSdAkP.exe, 00000000.00000003.261828407.000000001BF6F000.00000004.00000020.00020000.00000000.sdmp, jc1NVSdAkP.exe, 00000000.00000003.261768881.000000001BF70000.00000004.00000020.00020000.00000000.sdmp, jc1NVSdAkP.exe, 00000000.00000003.261853022.000000001BF70000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fonts.comjc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.sandoll.co.krjc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.urwpp.deDPleasejc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.zhongyicts.com.cnjc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.sakkal.comjc1NVSdAkP.exe, 00000000.00000003.262067529.000000001BF70000.00000004.00000020.00020000.00000000.sdmp, jc1NVSdAkP.exe, 00000000.00000003.261981088.000000001BF71000.00000004.00000020.00020000.00000000.sdmp, jc1NVSdAkP.exe, 00000000.00000003.261816363.000000001BF75000.00000004.00000020.00020000.00000000.sdmp, jc1NVSdAkP.exe, 00000000.00000003.261768881.000000001BF70000.00000004.00000020.00020000.00000000.sdmp, jc1NVSdAkP.exe, 00000000.00000003.261853022.000000001BF70000.00000004.00000020.00020000.00000000.sdmp, jc1NVSdAkP.exe, 00000000.00000003.261933692.000000001BF6F000.00000004.00000020.00020000.00000000.sdmp, jc1NVSdAkP.exe, 00000000.00000002.298492596.000000001DDA2000.00000004.00000800.00020000.00000000.sdmp, jc1NVSdAkP.exe, 00000000.00000003.262105808.000000001BF76000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            41.103.180.209
                            		volkatv500.sytes.netAlgeria
                            		36947ALGTEL-ASDZtrue

                            General Information

                            Joe Sandbox Version:34.0.0 Boulder Opal
                            Analysis ID:626606
                            Start date and time: 14/05/202215:37:082022-05-14 15:37:08 +02:00
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 8m 0s
                            Hypervisor based Inspection enabled:false
                            Report type:light
                            Sample file name:jc1NVSdAkP.exe
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:26
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@6/4@1/1
                            EGA Information:Failed
                            HDC Information:
                            • Successful, ratio: 1.5% (good quality ratio 0.8%)
                            • Quality average: 32.8%
                            • Quality standard deviation: 33%
                            HCA Information:
                            • Successful, ratio: 92%
                            • Number of executed functions: 0
                            • Number of non-executed functions: 0
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Adjust boot time
                            • Enable AMSI

                            Warnings

                            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                            • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                            • Execution Graph export aborted for target jc1NVSdAkP.exe, PID 6296 because it is empty
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            No context

                            Domains

                            No context

                            ASNs

                            No context

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\jc1NVSdAkP.exe.log

                            Download File
                            Process:C:\Users\user\Desktop\jc1NVSdAkP.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):664
                            Entropy (8bit):5.280979230295524
                            Encrypted:false
                            SSDEEP:12:Q3LaJcP0/9UkB9t0kaHYGLi1B01kKVdisk70OAEaANv:ML2pBLaYgioQxAfA9
                            MD5:4F9B2B715AECAC008745D08674616098
                            SHA1:C57514C4DD41B45672DA1B05D487E72D46F000AC
                            SHA-256:E3A1D0AC3EC711220FADB6166C7C40078134ED136865BCB35DF2034091CB66A9
                            SHA-512:4F26878A7FF989DF363B1E55614D856408C44B7F970AA725F1B7C1431D52A7793BFAA22F53897CCF7469E52615550B06FCDBC1A6D51CC5390B2C87FD8559037B
                            Malicious:true
                            Reputation:moderate, very likely benign file
                            Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System\1201f26cb986c93f55044bb4fa22b294\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualBas#\76002c3c0a2b9f0c8687ad35e8d9d309\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Drawing\b12bbcf27f41d96fe44360ae0b566f9b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Windows.Forms\454c09ea87bde1d5f545d60232083b79\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Runtime.Remo#\bc6a0a01a7bd9d05ca132f229184fce6\System.Runtime.Remoting.ni.dll",0..

                            C:\Users\user\AppData\Roaming\sytesnet.exe

                            Download File
                            Process:C:\Users\user\Desktop\jc1NVSdAkP.exe
                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):226304
                            Entropy (8bit):6.497123229913743
                            Encrypted:false
                            SSDEEP:3072:cLuhd/JZMeAgxbSGsbnzjQuJZQ4r0CuCilOD2Ri/xL1MrXk6kXBOSDWHubKta:TJZMerxWbnzjQRMx4HkZW10tDyt
                            MD5:4AE230EAE2EC7BB0CFE6F9069616421E
                            SHA1:2439307F4A8B2D0938AB5BF480A0B12DA403933B
                            SHA-256:5F22CD86922FC0DFFF33F6D9906291E50D12259B86E5A8BC804B6945CA7E994E
                            SHA-512:1C06F2E1BB06B68BD4D269D5016A08E83081B260497E026CA2EBAADFC489318C54F1D079BC0D40D751F9FBA0EA89FE90635F9DBC1ED34448C66401A438C382F8
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: Virustotal, Detection: 64%, Browse
                            • Antivirus: Metadefender, Detection: 26%, Browse
                            • Antivirus: ReversingLabs, Detection: 61%
                            Reputation:low
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...h|p_.................`...p.......~... ........@.. ....................................@..................................~..W.................................................................................... ............... ..H............text....^... ...`.................. ..`.reloc...............b..............@..B.rsrc................d..............@..@.................~......H.......p...$...........................................................".(.....*....0..........s..........*.0..2..........(......(.......o.......o.......o ......o!.....*...0..)........~......(".....~....o#...%&~....o$...%&......9.....E.........-......&...~....o#...%&.....+a~.....o%...%&..o&...%&....,?.E...................,#.E........~.....~.....o%...%&o'......................1..E........~.....~....o#...%&..o(....~....~....o#...%&o).....~.....(*...%&s+...o,.........(-........

                            C:\Windows\assembly\Desktop.ini

                            Download File
                            Process:C:\Users\user\Desktop\jc1NVSdAkP.exe
                            File Type:Windows desktop.ini, ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):227
                            Entropy (8bit):5.2735028737400205
                            Encrypted:false
                            SSDEEP:6:a1eZBXVNYTF0NwoScUbtSgyAXIWv7v5PMKq:UeZBFNYTswUq1r5zq
                            MD5:F7F759A5CD40BC52172E83486B6DE404
                            SHA1:D74930F354A56CFD03DC91AA96D8AE9657B1EE54
                            SHA-256:A709C2551B8818D7849D31A65446DC2F8C4CCA2DCBBC5385604286F49CFDAF1C
                            SHA-512:A50B7826BFE72506019E4B1148A214C71C6F4743C09E809EF15CD0E0223F3078B683D203200910B07B5E1E34B94F0FE516AC53527311E2943654BFCEADE53298
                            Malicious:false
                            Reputation:moderate, very likely benign file
                            Preview:; ==++==..; ..; Copyright (c) Microsoft Corporation. All rights reserved...; ..; ==--==..[.ShellClassInfo]..CLSID={1D2680C9-0E2A-469d-B787-065558BC7D43}..ConfirmFileOp=1..InfoTip=Contains application stability information...

                            \Device\ConDrv

                            Download File
                            Process:C:\Windows\System32\netsh.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):313
                            Entropy (8bit):4.971939296804078
                            Encrypted:false
                            SSDEEP:6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
                            MD5:689E2126A85BF55121488295EE068FA1
                            SHA1:09BAAA253A49D80C18326DFBCA106551EBF22DD6
                            SHA-256:D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
                            SHA-512:C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
                            Malicious:false
                            Reputation:high, very likely benign file
                            Preview:..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):6.497123229913743
                            TrID:
                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                            • Win32 Executable (generic) a (10002005/4) 49.75%
                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                            • Windows Screen Saver (13104/52) 0.07%
                            • Generic Win/DOS Executable (2004/3) 0.01%
                            File name:jc1NVSdAkP.exe
                            File size:226304
                            MD5:4ae230eae2ec7bb0cfe6f9069616421e
                            SHA1:2439307f4a8b2d0938ab5bf480a0b12da403933b
                            SHA256:5f22cd86922fc0dfff33f6d9906291e50d12259b86e5a8bc804b6945ca7e994e
                            SHA512:1c06f2e1bb06b68bd4d269d5016a08e83081b260497e026ca2ebaadfc489318c54f1d079bc0d40d751f9fba0ea89fe90635f9dbc1ed34448c66401a438c382f8
                            SSDEEP:3072:cLuhd/JZMeAgxbSGsbnzjQuJZQ4r0CuCilOD2Ri/xL1MrXk6kXBOSDWHubKta:TJZMerxWbnzjQRMx4HkZW10tDyt
                            TLSH:2C244AAA33D86B02D45877B9458BA75053FEFA20FB02D6007E55797A3C937BB68121C3
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...h|p_.................`...p.......~... ........@.. ....................................@................................

                            File Icon

                            Icon Hash:e8ccc6c6cecce831

                            Static PE Info

                            General

                            Entrypoint:0x427eee
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                            Time Stamp:0x5F707C68 [Sun Sep 27 11:50:00 2020 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:v2.0.50727
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                            Entrypoint Preview

                            Instruction
                            jmp dword ptr [00402000h]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x27e940x57.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x2a0000x10eec.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x280000xc.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x1adb80x1c.text
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000x25ef40x26000False0.632606907895data7.0671537001IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                            .reloc0x280000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                            .rsrc0x2a0000x10eec0x11000False0.324922449449data4.52018300234IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountry
                            RT_ICON0x2a1300x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 16777216, next used block 16777216
                            RT_GROUP_ICON0x3a9580x14data
                            RT_VERSION0x3a96c0x394data
                            RT_MANIFEST0x3ad000x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                            Imports

                            DLLImport
                            mscoree.dll_CorExeMain

                            Version Infos

                            DescriptionData
                            Translation0x0000 0x04b0
                            LegalCopyright'
                            Assembly Version0.0.0.0
                            InternalNameWindowsApplication14.exe
                            FileVersion0.0.0.0
                            CompanyName'
                            Comments'
                            ProductName'
                            ProductVersion0.0.0.0
                            FileDescription'
                            OriginalFilenameWindowsApplication14.exe

                            Network Behavior

                            Snort IDS Alerts

                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                            192.168.2.341.103.180.209497519992814856 05/14/22-15:39:01.814335TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)49751999192.168.2.341.103.180.209
                            192.168.2.341.103.180.209497519992825563 05/14/22-15:39:01.814335TCP2825563ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)49751999192.168.2.341.103.180.209
                            192.168.2.341.103.180.209497519992033132 05/14/22-15:39:01.539928TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)49751999192.168.2.341.103.180.209
                            192.168.2.341.103.180.209497519992825564 05/14/22-15:39:06.382536TCP2825564ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)49751999192.168.2.341.103.180.209
                            192.168.2.341.103.180.209497519992814860 05/14/22-15:39:06.382536TCP2814860ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)49751999192.168.2.341.103.180.209

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            May 14, 2022 15:38:59.926131010 CEST49751999192.168.2.341.103.180.209
                            May 14, 2022 15:39:00.000283003 CEST9994975141.103.180.209192.168.2.3
                            May 14, 2022 15:39:00.000499010 CEST49751999192.168.2.341.103.180.209
                            May 14, 2022 15:39:01.539927959 CEST49751999192.168.2.341.103.180.209
                            May 14, 2022 15:39:01.814233065 CEST9994975141.103.180.209192.168.2.3
                            May 14, 2022 15:39:01.814335108 CEST49751999192.168.2.341.103.180.209
                            May 14, 2022 15:39:02.089317083 CEST9994975141.103.180.209192.168.2.3
                            May 14, 2022 15:39:06.104610920 CEST9994975141.103.180.209192.168.2.3
                            May 14, 2022 15:39:06.109133005 CEST49751999192.168.2.341.103.180.209
                            May 14, 2022 15:39:06.382436991 CEST9994975141.103.180.209192.168.2.3
                            May 14, 2022 15:39:06.382535934 CEST49751999192.168.2.341.103.180.209
                            May 14, 2022 15:39:06.654485941 CEST9994975141.103.180.209192.168.2.3
                            May 14, 2022 15:39:24.170299053 CEST9994975141.103.180.209192.168.2.3
                            May 14, 2022 15:39:24.171821117 CEST49751999192.168.2.341.103.180.209
                            May 14, 2022 15:39:24.446300030 CEST9994975141.103.180.209192.168.2.3
                            May 14, 2022 15:39:42.234999895 CEST9994975141.103.180.209192.168.2.3
                            May 14, 2022 15:39:42.240200043 CEST49751999192.168.2.341.103.180.209
                            May 14, 2022 15:39:42.513825893 CEST9994975141.103.180.209192.168.2.3
                            May 14, 2022 15:40:00.298675060 CEST9994975141.103.180.209192.168.2.3
                            May 14, 2022 15:40:00.301579952 CEST49751999192.168.2.341.103.180.209
                            May 14, 2022 15:40:00.570667028 CEST9994975141.103.180.209192.168.2.3
                            May 14, 2022 15:40:18.365504980 CEST9994975141.103.180.209192.168.2.3
                            May 14, 2022 15:40:18.366318941 CEST49751999192.168.2.341.103.180.209
                            May 14, 2022 15:40:18.640578985 CEST9994975141.103.180.209192.168.2.3

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            May 14, 2022 15:38:59.801275015 CEST5742153192.168.2.38.8.8.8
                            May 14, 2022 15:38:59.819323063 CEST53574218.8.8.8192.168.2.3

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                            May 14, 2022 15:38:59.801275015 CEST192.168.2.38.8.8.80x3f25Standard query (0)volkatv500.sytes.netA (IP address)IN (0x0001)

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                            May 14, 2022 15:38:59.819323063 CEST8.8.8.8192.168.2.30x3f25No error (0)volkatv500.sytes.net41.103.180.209A (IP address)IN (0x0001)

                            Statistics

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:15:38:08
                            Start date:14/05/2022
                            Path:C:\Users\user\Desktop\jc1NVSdAkP.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\Desktop\jc1NVSdAkP.exe"
                            Imagebase:0xc80000
                            File size:226304 bytes
                            MD5 hash:4AE230EAE2EC7BB0CFE6F9069616421E
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Yara matches:
                            • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: 00000000.00000002.297921919.000000001BE00000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.297921919.000000001BE00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                            • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: 00000000.00000002.297921919.000000001BE00000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                            • Rule: njrat1, Description: Identify njRat, Source: 00000000.00000002.297921919.000000001BE00000.00000004.08000000.00040000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
                            • Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000002.297921919.000000001BE00000.00000004.08000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.293369368.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: njrat1, Description: Identify njRat, Source: 00000000.00000002.293369368.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
                            • Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000002.293369368.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                            Reputation:low

                            General

                            Target ID:5
                            Start time:15:38:30
                            Start date:14/05/2022
                            Path:C:\Users\user\AppData\Roaming\sytesnet.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\AppData\Roaming\sytesnet.exe"
                            Imagebase:0xe0000
                            File size:226304 bytes
                            MD5 hash:4AE230EAE2EC7BB0CFE6F9069616421E
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Antivirus matches:
                            • Detection: 100%, Avira
                            • Detection: 100%, Joe Sandbox ML
                            • Detection: 64%, Virustotal, Browse
                            • Detection: 26%, Metadefender, Browse
                            • Detection: 61%, ReversingLabs
                            Reputation:low

                            General

                            Target ID:15
                            Start time:15:38:49
                            Start date:14/05/2022
                            Path:C:\Windows\System32\netsh.exe
                            Wow64 process (32bit):false
                            Commandline:netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\sytesnet.exe" "sytesnet.exe" ENABLE
                            Imagebase:0x7ff7c7490000
                            File size:92672 bytes
                            MD5 hash:98CC37BBF363A38834253E22C80A8F32
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate

                            General

                            Target ID:16
                            Start time:15:38:50
                            Start date:14/05/2022
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7c9170000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Disassembly

                            No disassembly