Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rZ3LaKxraF

Overview

General Information

Sample Name:rZ3LaKxraF (renamed file extension from none to exe)
Analysis ID:679204
MD5:f8b7ccfaa25ad7547501496c248c178e
SHA1:aae29f7ef62d5329c27c2040ed573d0ddc9a522e
SHA256:42638e51cd3eff415ce751e700d233596988fd51ffba584b18dd2e78ec07bc2b
Tags:exeRemcosRAT
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Yara detected Remcos RAT
Antivirus / Scanner detection for submitted sample
Detected Remcos RAT
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Installs a global keyboard hook
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Yara detected Generic Downloader
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large strings
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • rZ3LaKxraF.exe (PID: 6412 cmdline: "C:\Users\user\Desktop\rZ3LaKxraF.exe" MD5: F8B7CCFAA25AD7547501496C248C178E)
    • schtasks.exe (PID: 6684 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ohnfNTVBamkg" /XML "C:\Users\user\AppData\Local\Temp\tmpC7FE.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • rZ3LaKxraF.exe (PID: 6800 cmdline: {path} MD5: F8B7CCFAA25AD7547501496C248C178E)
    • rZ3LaKxraF.exe (PID: 6856 cmdline: {path} MD5: F8B7CCFAA25AD7547501496C248C178E)
  • cleanup

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "37.120.210.219:3398:kehinde#2020|", "Assigned name": "jd", "Connect interval": "5", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "remcos", "Hide file": "Disable", "Mutex": "remcos_enhatfsgar", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screens", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "audio", "Connect delay": "0", "Copy folder": "remcos", "Keylog folder": "vbmcdsb"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.614442968.0000000002AB0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000000.00000002.407920965.0000000004329000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000000.00000002.407920965.0000000004329000.00000004.00000800.00020000.00000000.sdmpRemcosdetect Remcos in memoryJPCERT/CC Incident Response Group
      • 0xb7c8c:$remcos: Remcos
      • 0xb8500:$remcos: Remcos
      • 0xb8538:$url: Breaking-Security.Net
      • 0xbcd42:$resource: SETTINGS
      00000007.00000000.399658714.0000000000410000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000000.00000002.404558787.0000000003405000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          Click to see the 6 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.rZ3LaKxraF.exe.43cfc58.2.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
            0.2.rZ3LaKxraF.exe.43cfc58.2.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewerdetects Windows exceutables potentially bypassing UAC using eventvwr.exeditekSHen
            • 0x10738:$s1: \Classes\mscfile\shell\open\command
            • 0x10720:$s2: eventvwr.exe
            0.2.rZ3LaKxraF.exe.43cfc58.2.unpackRemcos_1Remcos Payloadkevoreilly
            • 0x11034:$name: Remcos
            • 0x118a8:$name: Remcos
            • 0x118fb:$name: REMCOS
            • 0x10688:$time: %02i:%02i:%02i:%03i
            • 0x11320:$time: %02i:%02i:%02i:%03i
            • 0x29fc:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 06 47 3B 7D 0C 72
            0.2.rZ3LaKxraF.exe.43cfc58.2.unpackRemcosdetect Remcos in memoryJPCERT/CC Incident Response Group
            • 0x11034:$remcos: Remcos
            • 0x118a8:$remcos: Remcos
            • 0x118e0:$url: Breaking-Security.Net
            • 0x160ea:$resource: SETTINGS
            0.2.rZ3LaKxraF.exe.43cfc58.2.unpackREMCOS_RAT_variantsunknownunknown
            • 0x114dc:$funcs1: autogetofflinelogs
            • 0x114c0:$funcs2: clearlogins
            • 0x114f0:$funcs3: getofflinelogs
            • 0x11578:$funcs4: execcom
            • 0x114cc:$funcs5: deletekeylog
            • 0x11798:$funcs6: remscriptexecd
            • 0x115bc:$funcs7: getwindows
            • 0x10da0:$funcs8: fundlldata
            • 0x10d78:$funcs9: getfunlib
            • 0x107ec:$funcs10: autofflinelogs
            • 0x113b8:$funcs11: getclipboard
            • 0x114b4:$funcs12: getscrslist
            • 0x107e0:$funcs13: offlinelogs
            • 0x105c8:$funcs14: getcamsingleframe
            • 0x116e4:$funcs15: listfiles
            • 0x115e0:$funcs16: getproclist
            • 0x10828:$funcs17: onlinelogs
            • 0x11700:$funcs18: getdrives
            • 0x11784:$funcs19: remscriptsuccess
            • 0x10600:$funcs20: getcamframe
            • 0x1115c:$str_a1: C:\Windows\System32\cmd.exe
            Click to see the 16 entries

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            Timestamp:192.168.2.737.120.210.2194977433982841134 08/05/22-12:03:58.881678
            SID:2841134
            Source Port:49774
            Destination Port:3398
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: rZ3LaKxraF.exeReversingLabs: Detection: 47%
            Yara detected Remcos RAT
            Source: Yara matchFile source: 0.2.rZ3LaKxraF.exe.43cfc58.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.0.rZ3LaKxraF.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.rZ3LaKxraF.exe.43cfc58.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.rZ3LaKxraF.exe.4367c38.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.614442968.0000000002AB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.407920965.0000000004329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.399658714.0000000000410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.404558787.0000000003405000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rZ3LaKxraF.exe PID: 6412, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rZ3LaKxraF.exe PID: 6856, type: MEMORYSTR
            Antivirus / Scanner detection for submitted sample
            Source: rZ3LaKxraF.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Roaming\ohnfNTVBamkg.exeAvira: detection malicious, Label: HEUR/AGEN.1208404
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\ohnfNTVBamkg.exeReversingLabs: Detection: 47%
            Machine Learning detection for sample
            Source: rZ3LaKxraF.exeJoe Sandbox ML: detected
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\ohnfNTVBamkg.exeJoe Sandbox ML: detected
            Source: 00000007.00000002.614442968.0000000002AB0000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "37.120.210.219:3398:kehinde#2020|", "Assigned name": "jd", "Connect interval": "5", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "remcos", "Hide file": "Disable", "Mutex": "remcos_enhatfsgar", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screens", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "audio", "Connect delay": "0", "Copy folder": "remcos", "Keylog folder": "vbmcdsb"}
            Source: rZ3LaKxraF.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: rZ3LaKxraF.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2841134 ETPRO TROJAN Win32/Remcos RAT Checkin 348 192.168.2.7:49774 -> 37.120.210.219:3398
            Yara detected Generic Downloader
            Source: Yara matchFile source: 0.2.rZ3LaKxraF.exe.4367c38.3.raw.unpack, type: UNPACKEDPE
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: 37.120.210.219
            Source: Joe Sandbox ViewASN Name: M247GB M247GB
            Source: global trafficTCP traffic: 192.168.2.7:49774 -> 37.120.210.219:3398
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
            Source: rZ3LaKxraF.exe, 00000000.00000002.404143465.0000000003321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Installs a global keyboard hook
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\rZ3LaKxraF.exe
            Source: rZ3LaKxraF.exe, 00000000.00000002.403374289.00000000015C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 0.2.rZ3LaKxraF.exe.43cfc58.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.0.rZ3LaKxraF.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.rZ3LaKxraF.exe.43cfc58.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.rZ3LaKxraF.exe.4367c38.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.614442968.0000000002AB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.407920965.0000000004329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.399658714.0000000000410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.404558787.0000000003405000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rZ3LaKxraF.exe PID: 6412, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rZ3LaKxraF.exe PID: 6856, type: MEMORYSTR

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 0.2.rZ3LaKxraF.exe.43cfc58.2.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 0.2.rZ3LaKxraF.exe.43cfc58.2.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
            Source: 0.2.rZ3LaKxraF.exe.43cfc58.2.unpack, type: UNPACKEDPEMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.rZ3LaKxraF.exe.43cfc58.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 0.2.rZ3LaKxraF.exe.33b18cc.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
            Source: 7.0.rZ3LaKxraF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 7.0.rZ3LaKxraF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
            Source: 7.0.rZ3LaKxraF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
            Source: 7.0.rZ3LaKxraF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 0.2.rZ3LaKxraF.exe.43cfc58.2.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 0.2.rZ3LaKxraF.exe.43cfc58.2.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
            Source: 0.2.rZ3LaKxraF.exe.43cfc58.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.rZ3LaKxraF.exe.4367c38.3.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 0.2.rZ3LaKxraF.exe.4367c38.3.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
            Source: 0.2.rZ3LaKxraF.exe.4367c38.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.407920965.0000000004329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.404558787.0000000003405000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
            .NET source code contains very large strings
            Source: rZ3LaKxraF.exe, frmMainForm.csLong String: Length: 20037
            Source: ohnfNTVBamkg.exe.0.dr, frmMainForm.csLong String: Length: 20037
            Source: 0.0.rZ3LaKxraF.exe.f00000.0.unpack, frmMainForm.csLong String: Length: 20037
            Source: rZ3LaKxraF.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 0.2.rZ3LaKxraF.exe.43cfc58.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 0.2.rZ3LaKxraF.exe.43cfc58.2.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
            Source: 0.2.rZ3LaKxraF.exe.43cfc58.2.unpack, type: UNPACKEDPEMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
            Source: 0.2.rZ3LaKxraF.exe.43cfc58.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0.2.rZ3LaKxraF.exe.33b18cc.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
            Source: 7.0.rZ3LaKxraF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 7.0.rZ3LaKxraF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
            Source: 7.0.rZ3LaKxraF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
            Source: 7.0.rZ3LaKxraF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0.2.rZ3LaKxraF.exe.43cfc58.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 0.2.rZ3LaKxraF.exe.43cfc58.2.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
            Source: 0.2.rZ3LaKxraF.exe.43cfc58.2.raw.unpack, type: UNPACKEDPEMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
            Source: 0.2.rZ3LaKxraF.exe.4367c38.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 0.2.rZ3LaKxraF.exe.4367c38.3.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
            Source: 0.2.rZ3LaKxraF.exe.4367c38.3.raw.unpack, type: UNPACKEDPEMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
            Source: 00000000.00000002.407920965.0000000004329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
            Source: 00000000.00000002.404558787.0000000003405000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
            Source: Process Memory Space: rZ3LaKxraF.exe PID: 6412, type: MEMORYSTRMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 0_2_03127780
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 0_2_03128428
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 0_2_03124088
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 0_2_03122CC8
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 0_2_03127770
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 0_2_031257B0
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 0_2_031237A0
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 0_2_03126FF0
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 0_2_03126FE0
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 0_2_03128690
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 0_2_031286A0
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 0_2_03128119
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 0_2_03124530
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 0_2_03128128
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 0_2_03127D57
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 0_2_03123168
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 0_2_03128418
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 0_2_0312003A
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 0_2_03120040
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 0_2_03122CB8
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 0_2_0320C5F4
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 0_2_0320E900
            Source: rZ3LaKxraF.exe, 00000000.00000002.403374289.00000000015C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs rZ3LaKxraF.exe
            Source: rZ3LaKxraF.exe, 00000000.00000002.411653562.0000000007840000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs rZ3LaKxraF.exe
            Source: rZ3LaKxraF.exe, 00000000.00000002.407920965.0000000004329000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs rZ3LaKxraF.exe
            Source: rZ3LaKxraF.exe, 00000000.00000002.407920965.0000000004329000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameiZpEr.exeB vs rZ3LaKxraF.exe
            Source: rZ3LaKxraF.exe, 00000000.00000000.349335264.0000000000F02000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameiZpEr.exeB vs rZ3LaKxraF.exe
            Source: rZ3LaKxraF.exe, 00000000.00000002.404143465.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs rZ3LaKxraF.exe
            Source: rZ3LaKxraF.exe, 00000000.00000002.404143465.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs rZ3LaKxraF.exe
            Source: rZ3LaKxraF.exe, 00000000.00000002.412112115.0000000007A20000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs rZ3LaKxraF.exe
            Source: rZ3LaKxraF.exeBinary or memory string: OriginalFilenameiZpEr.exeB vs rZ3LaKxraF.exe
            Source: rZ3LaKxraF.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: rZ3LaKxraF.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: rZ3LaKxraF.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: ohnfNTVBamkg.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: ohnfNTVBamkg.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: ohnfNTVBamkg.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: rZ3LaKxraF.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: ohnfNTVBamkg.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: rZ3LaKxraF.exeReversingLabs: Detection: 47%
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeFile read: C:\Users\user\Desktop\rZ3LaKxraF.exeJump to behavior
            Source: rZ3LaKxraF.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Users\user\Desktop\rZ3LaKxraF.exe "C:\Users\user\Desktop\rZ3LaKxraF.exe"
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ohnfNTVBamkg" /XML "C:\Users\user\AppData\Local\Temp\tmpC7FE.tmp
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess created: C:\Users\user\Desktop\rZ3LaKxraF.exe {path}
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess created: C:\Users\user\Desktop\rZ3LaKxraF.exe {path}
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ohnfNTVBamkg" /XML "C:\Users\user\AppData\Local\Temp\tmpC7FE.tmp
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess created: C:\Users\user\Desktop\rZ3LaKxraF.exe {path}
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess created: C:\Users\user\Desktop\rZ3LaKxraF.exe {path}
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeFile created: C:\Users\user\AppData\Roaming\ohnfNTVBamkg.exeJump to behavior
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeFile created: C:\Users\user\AppData\Local\Temp\tmpC7FE.tmpJump to behavior
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/4@0/1
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: rZ3LaKxraF.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeMutant created: \Sessions\1\BaseNamedObjects\remcos_enhatfsgar
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6716:120:WilError_01
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeMutant created: \Sessions\1\BaseNamedObjects\AlkQUlEgEPdgdvFu
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: rZ3LaKxraF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: rZ3LaKxraF.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: rZ3LaKxraF.exe, frmMainForm.cs.Net Code: NewLateBinding.LateCall(dax, null, "Invoke", stackVariable4, null, null, stackVariable13, true)
            Source: ohnfNTVBamkg.exe.0.dr, frmMainForm.cs.Net Code: NewLateBinding.LateCall(dax, null, "Invoke", stackVariable4, null, null, stackVariable13, true)
            Source: 0.0.rZ3LaKxraF.exe.f00000.0.unpack, frmMainForm.cs.Net Code: NewLateBinding.LateCall(dax, null, "Invoke", stackVariable4, null, null, stackVariable13, true)
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeCode function: 0_2_03120006 push ss; iretd
            Source: initial sampleStatic PE information: section name: .text entropy: 7.651863680261729
            Source: initial sampleStatic PE information: section name: .text entropy: 7.651863680261729
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeFile created: C:\Users\user\AppData\Roaming\ohnfNTVBamkg.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ohnfNTVBamkg" /XML "C:\Users\user\AppData\Local\Temp\tmpC7FE.tmp
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: 0.2.rZ3LaKxraF.exe.33b18cc.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.404143465.0000000003321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rZ3LaKxraF.exe PID: 6412, type: MEMORYSTR
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: rZ3LaKxraF.exe, 00000000.00000002.404143465.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
            Source: rZ3LaKxraF.exe, 00000000.00000002.407920965.0000000004329000.00000004.00000800.00020000.00000000.sdmp, rZ3LaKxraF.exe, 00000000.00000002.404143465.0000000003321000.00000004.00000800.00020000.00000000.sdmp, rZ3LaKxraF.exe, 00000000.00000002.404558787.0000000003405000.00000004.00000800.00020000.00000000.sdmp, rZ3LaKxraF.exe, 00000007.00000002.614044963.0000000000410000.00000040.00000400.00020000.00000000.sdmp, rZ3LaKxraF.exe, 00000007.00000000.399658714.0000000000410000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
            Source: rZ3LaKxraF.exe, 00000007.00000002.614044963.0000000000410000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: R`\SOSBIEDLL.DLL
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exe TID: 6436Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exe TID: 6988Thread sleep count: 552 > 30
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exe TID: 6988Thread sleep time: -5520000s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeWindow / User API: threadDelayed 552
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess information queried: ProcessInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeThread delayed: delay time: 922337203685477
            Source: rZ3LaKxraF.exe, 00000000.00000002.407920965.0000000004329000.00000004.00000800.00020000.00000000.sdmp, rZ3LaKxraF.exe, 00000000.00000002.404558787.0000000003405000.00000004.00000800.00020000.00000000.sdmp, rZ3LaKxraF.exe, 00000007.00000002.614044963.0000000000410000.00000040.00000400.00020000.00000000.sdmp, rZ3LaKxraF.exe, 00000007.00000000.399658714.0000000000410000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
            Source: rZ3LaKxraF.exe, 00000000.00000002.404143465.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
            Source: rZ3LaKxraF.exe, 00000000.00000002.404143465.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
            Source: rZ3LaKxraF.exe, 00000000.00000002.404143465.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: rZ3LaKxraF.exe, 00000000.00000002.404143465.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
            Source: rZ3LaKxraF.exe, 00000000.00000002.404143465.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
            Source: rZ3LaKxraF.exe, 00000000.00000002.404143465.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: rZ3LaKxraF.exe, 00000000.00000002.404143465.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
            Source: rZ3LaKxraF.exe, 00000000.00000002.404143465.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
            Source: rZ3LaKxraF.exe, 00000000.00000002.404143465.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
            Source: rZ3LaKxraF.exe, 00000000.00000002.407920965.0000000004329000.00000004.00000800.00020000.00000000.sdmp, rZ3LaKxraF.exe, 00000000.00000002.404558787.0000000003405000.00000004.00000800.00020000.00000000.sdmp, rZ3LaKxraF.exe, 00000007.00000002.614044963.0000000000410000.00000040.00000400.00020000.00000000.sdmp, rZ3LaKxraF.exe, 00000007.00000000.399658714.0000000000410000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: @HARDWARE\ACPI\DSDT\VBOX__PROCMON_WINDOW_CLASSPROCEXPL21invalid vector<T> subscript?playaudiodatafmt WAVERIFF.wav%Y-%m-%d %H.%MgetcamsingleframenocamerastartcamcapclosecamgetcamframeinitcamcapFreeFrameGetFrameCloseCameraOpenCameracamdlldatacamframe|dmc|[DataStart][DataStart]0000%02i:%02i:%02i:%03i [KeepAlive] Enabled! (Timeout: %i seconds)
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeMemory written: C:\Users\user\Desktop\rZ3LaKxraF.exe base: 400000 value starts with: 4D5A
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ohnfNTVBamkg" /XML "C:\Users\user\AppData\Local\Temp\tmpC7FE.tmp
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess created: C:\Users\user\Desktop\rZ3LaKxraF.exe {path}
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeProcess created: C:\Users\user\Desktop\rZ3LaKxraF.exe {path}
            Source: rZ3LaKxraF.exe, 00000007.00000002.614466932.0000000002AB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: rZ3LaKxraF.exe, 00000007.00000002.614466932.0000000002AB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manageranager
            Source: rZ3LaKxraF.exe, 00000007.00000002.614466932.0000000002AB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: art]Bpong|cmd|0|cmd|Program Manager|cmd|128|cmd|52116843rontdesk|cmd|~~
            Source: rZ3LaKxraF.exe, 00000007.00000002.614412727.0000000002A8D000.00000004.00000010.00020000.00000000.sdmp, logs.dat.7.drBinary or memory string: [ Program Manager ]
            Source: rZ3LaKxraF.exe, 00000007.00000002.614466932.0000000002AB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d|0|cmd|Program ManageruesdayWedWednesdayThu
            Source: rZ3LaKxraF.exe, 00000007.00000002.614466932.0000000002AB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr
            Source: rZ3LaKxraF.exe, 00000007.00000002.614466932.0000000002AB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d|0|cmd|Program Manager|cmd|rMarchAprAprilMa
            Source: rZ3LaKxraF.exe, 00000007.00000002.614466932.0000000002AB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d|0|cmd|Program Manager|cmd|128|cmd|
            Source: rZ3LaKxraF.exe, 00000007.00000002.614466932.0000000002AB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d|0|cmd|Program Manager|cmd|128|cmd|521168439
            Source: rZ3LaKxraF.exe, 00000007.00000002.614466932.0000000002AB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d|0|cmd|Program Manager|cmd|128vNovemberDecDe
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Users\user\Desktop\rZ3LaKxraF.exe VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\rZ3LaKxraF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Stealing of Sensitive Information

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 0.2.rZ3LaKxraF.exe.43cfc58.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.0.rZ3LaKxraF.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.rZ3LaKxraF.exe.43cfc58.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.rZ3LaKxraF.exe.4367c38.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.614442968.0000000002AB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.407920965.0000000004329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.399658714.0000000000410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.404558787.0000000003405000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rZ3LaKxraF.exe PID: 6412, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rZ3LaKxraF.exe PID: 6856, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 0.2.rZ3LaKxraF.exe.43cfc58.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.0.rZ3LaKxraF.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.rZ3LaKxraF.exe.43cfc58.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.rZ3LaKxraF.exe.4367c38.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.614442968.0000000002AB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.407920965.0000000004329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.399658714.0000000000410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.404558787.0000000003405000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rZ3LaKxraF.exe PID: 6412, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rZ3LaKxraF.exe PID: 6856, type: MEMORYSTR
            Detected Remcos RAT
            Source: rZ3LaKxraF.exe, 00000000.00000002.407920965.0000000004329000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Remcos_Mutex_Inj
            Source: rZ3LaKxraF.exe, 00000000.00000002.407920965.0000000004329000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \uninstall.batEXEpathC:\WINDOWS\system32\userinit.exeexplorer.exeupdate.batAppDataProgramFiles\SysWOW64\system32WinDirSystemDrive@@ (32 bit) (64 bit)SOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameInjRemcos_Mutex_InjSoftware\SetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWIsWow64Processkernel32kernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\SETTINGS
            Source: rZ3LaKxraF.exe, 00000000.00000002.404558787.0000000003405000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Remcos_Mutex_Inj
            Source: rZ3LaKxraF.exe, 00000000.00000002.404558787.0000000003405000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \uninstall.batEXEpathC:\WINDOWS\system32\userinit.exeexplorer.exeupdate.batAppDataProgramFiles\SysWOW64\system32WinDirSystemDrive@@ (32 bit) (64 bit)SOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameInjRemcos_Mutex_InjSoftware\SetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWIsWow64Processkernel32kernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\SETTINGS
            Source: rZ3LaKxraF.exe, 00000007.00000000.399658714.0000000000410000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: Remcos_Mutex_Inj
            Source: rZ3LaKxraF.exe, 00000007.00000000.399658714.0000000000410000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: \uninstall.batEXEpathC:\WINDOWS\system32\userinit.exeexplorer.exeupdate.batAppDataProgramFiles\SysWOW64\system32WinDirSystemDrive@@ (32 bit) (64 bit)SOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameInjRemcos_Mutex_InjSoftware\SetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWIsWow64Processkernel32kernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\SETTINGS

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts1
            Scheduled Task/Job            		1
            Scheduled Task/Job            		112
            Process Injection            		1
            Masquerading            		111
            Input Capture            		1
            Query Registry            		Remote Services111
            Input Capture            		Exfiltration Over Other Network Medium1
            Encrypted Channel            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            Scheduled Task/Job            		1
            Disable or Modify Tools            		LSASS Memory21
            Security Software Discovery            		Remote Desktop Protocol1
            Archive Collected Data            		Exfiltration Over Bluetooth1
            Non-Standard Port            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
            Virtualization/Sandbox Evasion            		Security Account Manager2
            Process Discovery            		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
            Remote Access Software            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)112
            Process Injection            		NTDS21
            Virtualization/Sandbox Evasion            		Distributed Component Object ModelInput CaptureScheduled Transfer1
            Application Layer Protocol            		SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script3
            Obfuscated Files or Information            		LSA Secrets1
            Application Window Discovery            		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common12
            Software Packing            		Cached Domain Credentials1
            File and Directory Discovery            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync12
            System Information Discovery            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            rZ3LaKxraF.exe48%ReversingLabsByteCode-MSIL.Spyware.SnakeLogger
            rZ3LaKxraF.exe100%AviraHEUR/AGEN.1208404
            rZ3LaKxraF.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\ohnfNTVBamkg.exe100%AviraHEUR/AGEN.1208404
            C:\Users\user\AppData\Roaming\ohnfNTVBamkg.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\ohnfNTVBamkg.exe48%ReversingLabsByteCode-MSIL.Spyware.SnakeLogger

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            0.0.rZ3LaKxraF.exe.f00000.0.unpack100%AviraHEUR/AGEN.1208404Download File
            7.0.rZ3LaKxraF.exe.400000.0.unpack100%AviraHEUR/AGEN.1219514Download File
            0.2.rZ3LaKxraF.exe.43cfc58.2.unpack100%AviraHEUR/AGEN.1219514Download File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            37.120.210.2190%Avira URL Cloudsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            37.120.210.219true
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.apache.org/licenses/LICENSE-2.0rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://www.fontbureau.comrZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.fontbureau.com/designersGrZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.fontbureau.com/designers/?rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.founder.com.cn/cn/bTherZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers?rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.tiro.comrZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designersrZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.goodfont.co.krrZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.carterandcone.comlrZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.sajatypeworks.comrZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.typography.netDrZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers/cabarga.htmlNrZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/cTherZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.galapagosdesign.com/staff/dennis.htmrZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://fontfabrik.comrZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cnrZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/frere-jones.htmlrZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.jiyu-kobo.co.jp/rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.galapagosdesign.com/DPleaserZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers8rZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.fonts.comrZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.sandoll.co.krrZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.urwpp.deDPleaserZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.zhongyicts.com.cnrZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namerZ3LaKxraF.exe, 00000000.00000002.404143465.0000000003321000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.sakkal.comrZ3LaKxraF.exe, 00000000.00000002.410661170.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  37.120.210.219
                                  		unknownRomania
                                  		9009M247GBtrue

                                  General Information

                                  Joe Sandbox Version:35.0.0 Citrine
                                  Analysis ID:679204
                                  Start date and time: 05/08/202212:01:062022-08-05 12:01:06 +02:00
                                  Joe Sandbox Product:CloudBasic
                                  Overall analysis duration:0h 7m 44s
                                  Hypervisor based Inspection enabled:false
                                  Report type:light
                                  Sample file name:rZ3LaKxraF (renamed file extension from none to exe)
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                  Number of analysed new started processes analysed:19
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • HDC enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Detection:MAL
                                  Classification:mal100.troj.spyw.evad.winEXE@8/4@0/1
                                  EGA Information:
                                  • Successful, ratio: 50%
                                  HDC Information:Failed
                                  HCA Information:
                                  • Successful, ratio: 93%
                                  • Number of executed functions: 0
                                  • Number of non-executed functions: 0
                                  Cookbook Comments:
                                  • Adjust boot time
                                  • Enable AMSI

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                  • Excluded IPs from analysis (whitelisted): 20.82.210.154
                                  • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, store-images.s-microsoft.com, login.live.com, ctldl.windowsupdate.com, arc.trafficmanager.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                  • Execution Graph export aborted for target rZ3LaKxraF.exe, PID 6856 because there are no executed function
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • VT rate limit hit for: rZ3LaKxraF.exe

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  12:03:08API Interceptor808x Sleep call for process: rZ3LaKxraF.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  No context

                                  Domains

                                  No context

                                  ASNs

                                  No context

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rZ3LaKxraF.exe.log

                                  Download File
                                  Process:C:\Users\user\Desktop\rZ3LaKxraF.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1216
                                  Entropy (8bit):5.355304211458859
                                  Encrypted:false
                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                  MD5:69206D3AF7D6EFD08F4B4726998856D3
                                  SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                  SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                  SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                  Malicious:true
                                  Reputation:high, very likely benign file
                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                  C:\Users\user\AppData\Local\Temp\tmpC7FE.tmp

                                  Download File
                                  Process:C:\Users\user\Desktop\rZ3LaKxraF.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1661
                                  Entropy (8bit):5.174023600988245
                                  Encrypted:false
                                  SSDEEP:24:2dH4+SEqC/dp7hdMlNMFpdU/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB1Ntn:cbhH7MlNQ8/rydbz9I3YODOLNdq3v
                                  MD5:221CE6A07FB67113112AED2562CBF3B3
                                  SHA1:39FEC1C7C72BB5C740C24412537B4F429486708F
                                  SHA-256:6B98B72DA3B6BDBDBF83DE716C1D1F8F50D43E71FA28FB26239111128900F414
                                  SHA-512:73EB9B348394B3BCB36AC00EC6CC7F636EB45EDB3DDA29682A0A7D943D1BF9BC99B641706DF93C59E61C73EE80C5E7B871956F7AD179C8B8E15964C9D4594C6B
                                  Malicious:true
                                  Reputation:low
                                  Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAv

                                  C:\Users\user\AppData\Roaming\ohnfNTVBamkg.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\rZ3LaKxraF.exe
                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Category:dropped
                                  Size (bytes):703488
                                  Entropy (8bit):6.9630413774878415
                                  Encrypted:false
                                  SSDEEP:12288:2u82iNDXR0NSqCGCHw1jZIvNds4mcGrONHhbP7r9r/+ppppppppppppppppppppZ:E1rvqCGCQJZIvoYGoHhb1qH
                                  MD5:F8B7CCFAA25AD7547501496C248C178E
                                  SHA1:AAE29F7EF62D5329C27C2040ED573D0DDC9A522E
                                  SHA-256:42638E51CD3EFF415CE751E700D233596988FD51FFBA584B18DD2E78EC07BC2B
                                  SHA-512:CBFEC11BA74137DF8A56D8C6CA74A04F3773D52C097AD78A5413733AD8DE540CE8F0BE54A9DCF2A708BBB56A0DAEA69F247BA7255485DE2406ED310B07D91E44
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  • Antivirus: ReversingLabs, Detection: 48%
                                  Reputation:low
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....9.b..............P..\...^.......z... ........@.. ....................................@.................................@z..O.......h[........................................................................... ............... ..H............text....Z... ...\.................. ..`.rsrc...h[.......\...^..............@..@.reloc..............................@..B................tz......H........Q..,.......B...HE...4............................................( ...*&..(!....*.s"........s#........s$........s%........s&........*...0...........~....o'....+..*.0...........~....o(....+..*.0...........~....o)....+..*.0...........~....o*....+..*.0...........~....o+....+..*.0..<........~.....(,.....,!r...p.....(-...o....s/............~.....+..*.0...........~.....+..*".......*.0..&........(....r=..p~....o0...(1.....t$....+..*...0..&........(....rI..p~....o0...(1.....

                                  C:\Users\user\AppData\Roaming\vbmcdsb\logs.dat

                                  Download File
                                  Process:C:\Users\user\Desktop\rZ3LaKxraF.exe
                                  File Type:ASCII text, with CRLF, CR line terminators
                                  Category:dropped
                                  Size (bytes):25
                                  Entropy (8bit):3.593269689515108
                                  Encrypted:false
                                  SSDEEP:3:M1XKe3n:0aS
                                  MD5:89B5667E995FBEB88EDDA0BAC2FD47C4
                                  SHA1:76FB3FE1E77B0F1A5C6014437515F1DB8EAAEC37
                                  SHA-256:EE321AE724EA998CADB15526D3573191C892653D28A8AA7DE43413AE2DCE5E79
                                  SHA-512:F542FC946C29FAECC5D660548B43B1F59C909955FDF162F150426DBB23FDD3CDEFED435254884DBCDACA82529249A7C2C07DC9DC8C5073156056F8A92B28A92F
                                  Malicious:false
                                  Reputation:moderate, very likely benign file
                                  Preview:...[ Program Manager ]...

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Entropy (8bit):6.9630413774878415
                                  TrID:
                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                  • DOS Executable Generic (2002/1) 0.01%
                                  File name:rZ3LaKxraF.exe
                                  File size:703488
                                  MD5:f8b7ccfaa25ad7547501496c248c178e
                                  SHA1:aae29f7ef62d5329c27c2040ed573d0ddc9a522e
                                  SHA256:42638e51cd3eff415ce751e700d233596988fd51ffba584b18dd2e78ec07bc2b
                                  SHA512:cbfec11ba74137df8a56d8c6ca74a04f3773d52c097ad78a5413733ad8de540ce8f0be54a9dcf2a708bbb56a0daea69f247ba7255485de2406ed310b07d91e44
                                  SSDEEP:12288:2u82iNDXR0NSqCGCHw1jZIvNds4mcGrONHhbP7r9r/+ppppppppppppppppppppZ:E1rvqCGCQJZIvoYGoHhb1qH
                                  TLSH:33E48E80E586B664DE19D7745BFACC754533BD6AE838952C28DD3F37BBB7AA20011023
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....9.b..............P..\...^.......z... ........@.. ....................................@................................

                                  File Icon

                                  Icon Hash:c4c4c4c8ccd4d0c4

                                  Static PE Info

                                  General

                                  Entrypoint:0x477a92
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x62DF39AA [Tue Jul 26 00:47:38 2022 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                  Entrypoint Preview

                                  Instruction
                                  jmp dword ptr [00402000h]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x77a400x4f.text
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x780000x35b68.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xae0000xc.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x20000x75a980x75c00False0.814691563826964data7.651863680261729IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .rsrc0x780000x35b680x35c00False0.21262263808139534data4.520503418212817IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0xae0000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountry
                                  RT_ICON0x784600x668data
                                  RT_ICON0x78ac80x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 4294965391, next used block 7403512
                                  RT_ICON0x78db00x1e8data
                                  RT_ICON0x78f980x128GLS_BINARY_LSB_FIRST
                                  RT_ICON0x790c00x35e0PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                  RT_ICON0x7c6a00xea8data
                                  RT_ICON0x7d5480x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0
                                  RT_ICON0x7ddf00x6c8data
                                  RT_ICON0x7e4b80x568GLS_BINARY_LSB_FIRST
                                  RT_ICON0x7ea200x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                  RT_ICON0x8f2480x94a8data
                                  RT_ICON0x986f00x67e8data
                                  RT_ICON0x9eed80x5488data
                                  RT_ICON0xa43600x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 254, next used block 2130706432
                                  RT_ICON0xa85880x25a8data
                                  RT_ICON0xaab300x10a8data
                                  RT_ICON0xabbd80x988data
                                  RT_ICON0xac5600x468GLS_BINARY_LSB_FIRST
                                  RT_GROUP_ICON0xac9c80x102data
                                  RT_VERSION0xacacc0x354data
                                  RT_MANIFEST0xace200xd48XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                  Imports

                                  DLLImport
                                  mscoree.dll_CorExeMain

                                  Network Behavior

                                  Snort IDS Alerts

                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                  192.168.2.737.120.210.2194977433982841134 08/05/22-12:03:58.881678TCP2841134ETPRO TROJAN Win32/Remcos RAT Checkin 348497743398192.168.2.737.120.210.219

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Aug 5, 2022 12:02:43.141547918 CEST497743398192.168.2.737.120.210.219
                                  Aug 5, 2022 12:02:43.615458965 CEST33984977437.120.210.219192.168.2.7
                                  Aug 5, 2022 12:02:43.615602016 CEST497743398192.168.2.737.120.210.219
                                  Aug 5, 2022 12:02:43.616734028 CEST497743398192.168.2.737.120.210.219
                                  Aug 5, 2022 12:02:44.114769936 CEST33984977437.120.210.219192.168.2.7
                                  Aug 5, 2022 12:02:44.131412029 CEST497743398192.168.2.737.120.210.219
                                  Aug 5, 2022 12:02:44.652451038 CEST33984977437.120.210.219192.168.2.7
                                  Aug 5, 2022 12:02:58.748060942 CEST33984977437.120.210.219192.168.2.7
                                  Aug 5, 2022 12:02:58.758995056 CEST497743398192.168.2.737.120.210.219
                                  Aug 5, 2022 12:02:59.282506943 CEST33984977437.120.210.219192.168.2.7
                                  Aug 5, 2022 12:03:18.786052942 CEST33984977437.120.210.219192.168.2.7
                                  Aug 5, 2022 12:03:18.789299011 CEST497743398192.168.2.737.120.210.219
                                  Aug 5, 2022 12:03:19.304574966 CEST33984977437.120.210.219192.168.2.7
                                  Aug 5, 2022 12:03:38.821558952 CEST33984977437.120.210.219192.168.2.7
                                  Aug 5, 2022 12:03:38.824368954 CEST497743398192.168.2.737.120.210.219
                                  Aug 5, 2022 12:03:39.342868090 CEST33984977437.120.210.219192.168.2.7
                                  Aug 5, 2022 12:03:58.876553059 CEST33984977437.120.210.219192.168.2.7
                                  Aug 5, 2022 12:03:58.881678104 CEST497743398192.168.2.737.120.210.219
                                  Aug 5, 2022 12:03:59.401487112 CEST33984977437.120.210.219192.168.2.7
                                  Aug 5, 2022 12:04:18.985163927 CEST33984977437.120.210.219192.168.2.7
                                  Aug 5, 2022 12:04:18.986965895 CEST497743398192.168.2.737.120.210.219
                                  Aug 5, 2022 12:04:19.506959915 CEST33984977437.120.210.219192.168.2.7

                                  Statistics

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:12:02:56
                                  Start date:05/08/2022
                                  Path:C:\Users\user\Desktop\rZ3LaKxraF.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\rZ3LaKxraF.exe"
                                  Imagebase:0xf00000
                                  File size:703488 bytes
                                  MD5 hash:F8B7CCFAA25AD7547501496C248C178E
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.407920965.0000000004329000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Remcos, Description: detect Remcos in memory, Source: 00000000.00000002.407920965.0000000004329000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.404558787.0000000003405000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Remcos, Description: detect Remcos in memory, Source: 00000000.00000002.404558787.0000000003405000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.404143465.0000000003321000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:low

                                  General

                                  Target ID:3
                                  Start time:12:03:16
                                  Start date:05/08/2022
                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ohnfNTVBamkg" /XML "C:\Users\user\AppData\Local\Temp\tmpC7FE.tmp
                                  Imagebase:0xef0000
                                  File size:185856 bytes
                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Target ID:5
                                  Start time:12:03:17
                                  Start date:05/08/2022
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7bab80000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Target ID:6
                                  Start time:12:03:18
                                  Start date:05/08/2022
                                  Path:C:\Users\user\Desktop\rZ3LaKxraF.exe
                                  Wow64 process (32bit):false
                                  Commandline:{path}
                                  Imagebase:0x290000
                                  File size:703488 bytes
                                  MD5 hash:F8B7CCFAA25AD7547501496C248C178E
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:low

                                  General

                                  Target ID:7
                                  Start time:12:03:19
                                  Start date:05/08/2022
                                  Path:C:\Users\user\Desktop\rZ3LaKxraF.exe
                                  Wow64 process (32bit):true
                                  Commandline:{path}
                                  Imagebase:0x870000
                                  File size:703488 bytes
                                  MD5 hash:F8B7CCFAA25AD7547501496C248C178E
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.614442968.0000000002AB0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000000.399658714.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:low

                                  Disassembly

                                  No disassembly