Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SFNM#U007e12345HBV-09876567.exe

Overview

General Information

Sample Name:SFNM#U007e12345HBV-09876567.exe
Analysis ID:709714
MD5:54e31b7e289bea078ed769a046c3842e
SHA1:bf7d74cb34792b258f46e29221c4cbff57bb6979
SHA256:9cf831ec812b6928eb2fe0c9625da78e8f294d6a5b255ddf894bbbe5b3f7698a
Infos:

Detection

Nanocore, DarkTortilla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected DarkTortilla Crypter
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected Nanocore Rat
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Machine Learning detection for sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
.NET source code contains method to dynamically call methods (often used by packers)
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Uses reg.exe to modify the Windows registry
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • SFNM#U007e12345HBV-09876567.exe (PID: 588 cmdline: "C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exe" MD5: 54E31B7E289BEA078ED769A046C3842E)
    • cmd.exe (PID: 5960 cmdline: cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "CHRIST,MARICERTYK" /t REG_SZ /d "C:\Users\user\Favorites\SFNM~12345HBV-09876567.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • PING.EXE (PID: 6068 cmdline: ping 127.0.0.1 -n 38 MD5: 70C24A306F768936563ABDADB9CA9108)
      • reg.exe (PID: 2708 cmdline: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "CHRIST,MARICERTYK" /t REG_SZ /d "C:\Users\user\Favorites\SFNM~12345HBV-09876567.exe" MD5: CEE2A7E57DF2A159A065A34913A055C2)
    • cmd.exe (PID: 1888 cmdline: cmd" /c ping 127.0.0.1 -n 41 > nul && copy "C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exe" "C:\Users\user\Favorites\SFNM~12345HBV-09876567.exe" && ping 127.0.0.1 -n 41 > nul && "C:\Users\user\Favorites\SFNM~12345HBV-09876567.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • PING.EXE (PID: 4768 cmdline: ping 127.0.0.1 -n 41 MD5: 70C24A306F768936563ABDADB9CA9108)
      • PING.EXE (PID: 920 cmdline: ping 127.0.0.1 -n 41 MD5: 70C24A306F768936563ABDADB9CA9108)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "2c83c052-5c8c-4da8-8e82-9c1bb5be", "Group": "9812", "Domain1": "9812.hopto.org", "Domain2": "91.193.75.133", "Port": 9812, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.420676515.0000000002643000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
    00000000.00000002.425643462.00000000036FB000.00000004.00000800.00020000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x43e7f:$x1: NanoCore.ClientPluginHost
    • 0x76c6f:$x1: NanoCore.ClientPluginHost
    • 0xa9a4f:$x1: NanoCore.ClientPluginHost
    • 0x43ebc:$x2: IClientNetworkHost
    • 0x76cac:$x2: IClientNetworkHost
    • 0xa9a8c:$x2: IClientNetworkHost
    • 0x479ef:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x7a7df:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0xad5bf:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000000.00000002.425643462.00000000036FB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
      00000000.00000002.425643462.00000000036FB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        00000000.00000002.425643462.00000000036FB000.00000004.00000800.00020000.00000000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0x43be7:$a: NanoCore
        • 0x43bf7:$a: NanoCore
        • 0x43e2b:$a: NanoCore
        • 0x43e3f:$a: NanoCore
        • 0x43e7f:$a: NanoCore
        • 0x769d7:$a: NanoCore
        • 0x769e7:$a: NanoCore
        • 0x76c1b:$a: NanoCore
        • 0x76c2f:$a: NanoCore
        • 0x76c6f:$a: NanoCore
        • 0xa97b7:$a: NanoCore
        • 0xa97c7:$a: NanoCore
        • 0xa99fb:$a: NanoCore
        • 0xa9a0f:$a: NanoCore
        • 0xa9a4f:$a: NanoCore
        • 0x43c46:$b: ClientPlugin
        • 0x43e48:$b: ClientPlugin
        • 0x43e88:$b: ClientPlugin
        • 0x76a36:$b: ClientPlugin
        • 0x76c38:$b: ClientPlugin
        • 0x76c78:$b: ClientPlugin
        Click to see the 12 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.SFNM#U007e12345HBV-09876567.exe.372ecf2.3.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe38d:$x1: NanoCore.ClientPluginHost
        • 0xe3ca:$x2: IClientNetworkHost
        • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        0.2.SFNM#U007e12345HBV-09876567.exe.372ecf2.3.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xe105:$x1: NanoCore Client.exe
        • 0xe38d:$x2: NanoCore.ClientPluginHost
        • 0xf9c6:$s1: PluginCommand
        • 0xf9ba:$s2: FileCommand
        • 0x1086b:$s3: PipeExists
        • 0x16622:$s4: PipeCreated
        • 0xe3b7:$s5: IClientLoggingHost
        0.2.SFNM#U007e12345HBV-09876567.exe.372ecf2.3.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
          0.2.SFNM#U007e12345HBV-09876567.exe.372ecf2.3.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
            0.2.SFNM#U007e12345HBV-09876567.exe.372ecf2.3.unpackMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
            • 0xe0f5:$x1: NanoCore Client
            • 0xe105:$x1: NanoCore Client
            • 0xe34d:$x2: NanoCore.ClientPlugin
            • 0xe38d:$x3: NanoCore.ClientPluginHost
            • 0xe342:$i1: IClientApp
            • 0xe363:$i2: IClientData
            • 0xe36f:$i3: IClientNetwork
            • 0xe37e:$i4: IClientAppHost
            • 0xe3a7:$i5: IClientDataHost
            • 0xe3b7:$i6: IClientLoggingHost
            • 0xe3ca:$i7: IClientNetworkHost
            • 0xe3dd:$i8: IClientUIHost
            • 0xe3eb:$i9: IClientNameObjectCollection
            • 0xe407:$i10: IClientReadOnlyNameObjectCollection
            • 0xe154:$s1: ClientPlugin
            • 0xe356:$s1: ClientPlugin
            • 0xe84a:$s2: EndPoint
            • 0xe853:$s3: IPAddress
            • 0xe85d:$s4: IPEndPoint
            • 0x10293:$s6: get_ClientSettings
            • 0x10837:$s7: get_Connected
            Click to see the 48 entries

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: SFNM#U007e12345HBV-09876567.exeReversingLabs: Detection: 88%
            Source: SFNM#U007e12345HBV-09876567.exeVirustotal: Detection: 79%Perma Link
            Source: SFNM#U007e12345HBV-09876567.exeMetadefender: Detection: 33%Perma Link
            Antivirus detection for URL or domain
            Source: 91.193.75.133Avira URL Cloud: Label: malware
            Source: 9812.hopto.orgAvira URL Cloud: Label: malware
            Multi AV Scanner detection for domain / URL
            Source: 91.193.75.133Virustotal: Detection: 11%Perma Link
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\Favorites\SFNM~12345HBV-09876567.exeReversingLabs: Detection: 88%
            Source: C:\Users\user\Favorites\SFNM~12345HBV-09876567.exeMetadefender: Detection: 33%Perma Link
            Yara detected Nanocore RAT
            Source: Yara matchFile source: 0.2.SFNM#U007e12345HBV-09876567.exe.372ecf2.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SFNM#U007e12345HBV-09876567.exe.382d230.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SFNM#U007e12345HBV-09876567.exe.37fa462.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SFNM#U007e12345HBV-09876567.exe.3761ae2.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SFNM#U007e12345HBV-09876567.exe.382d230.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SFNM#U007e12345HBV-09876567.exe.372ecf2.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SFNM#U007e12345HBV-09876567.exe.3761ae2.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SFNM#U007e12345HBV-09876567.exe.37fa462.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.425643462.00000000036FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.426014225.00000000037FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SFNM#U007e12345HBV-09876567.exe PID: 588, type: MEMORYSTR
            Machine Learning detection for sample
            Source: SFNM#U007e12345HBV-09876567.exeJoe Sandbox ML: detected
            Machine Learning detection for dropped file
            Source: C:\Users\user\Favorites\SFNM~12345HBV-09876567.exeJoe Sandbox ML: detected
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.3761ae2.2.raw.unpackMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "2c83c052-5c8c-4da8-8e82-9c1bb5be", "Group": "9812", "Domain1": "9812.hopto.org", "Domain2": "91.193.75.133", "Port": 9812, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
            Source: SFNM#U007e12345HBV-09876567.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 142.250.185.164:443 -> 192.168.2.4:49696 version: TLS 1.2
            Source: SFNM#U007e12345HBV-09876567.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeCode function: 4x nop then push dword ptr [ebp-20h]
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeCode function: 4x nop then push dword ptr [ebp-24h]
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeCode function: 4x nop then push dword ptr [ebp-24h]
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeCode function: 4x nop then xor edx, edx
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeCode function: 4x nop then xor edx, edx
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeCode function: 4x nop then push dword ptr [ebp-20h]
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h

            Networking

            barindex
            Uses ping.exe to check the status of other devices and networks
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 38
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: 9812.hopto.org
            Source: Malware configuration extractorURLs: 91.193.75.133
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
            Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 443
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000002.420049059.0000000000962000.00000004.00000020.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.327493781.0000000000962000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000002.427997639.0000000007412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.343011143.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.342501858.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.418804128.0000000006248000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.340800596.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.419016717.000000000624E000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.340235301.0000000006244000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.342178988.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.341281240.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.340546586.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.343237476.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.341513125.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.342726715.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.341974759.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.341036444.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.343497885.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.341738243.000000000624F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ns.ado/1
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.418804128.0000000006248000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.419016717.000000000624E000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.340235301.0000000006244000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.c/g
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.343011143.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.342501858.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.418804128.0000000006248000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.340800596.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.419016717.000000000624E000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.340235301.0000000006244000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.342178988.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.341281240.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.340546586.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.343237476.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.341513125.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.342726715.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.341974759.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.341036444.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.343497885.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.341738243.000000000624F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.cobj
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000002.420527964.00000000025F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000002.427997639.0000000007412000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.332961781.000000000621A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.333387167.000000000620D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.333387167.000000000620D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com_Z
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.333387167.000000000620D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comk
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000002.427997639.0000000007412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.333387167.000000000620D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.como.-
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.418922541.0000000006200000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000002.428587712.00000000074FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000002.428587712.00000000074FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.335070520.000000000621B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000002.428587712.00000000074FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000002.428587712.00000000074FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000002.428587712.00000000074FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000002.428587712.00000000074FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000002.428587712.00000000074FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000002.428587712.00000000074FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.418922541.0000000006200000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000002.427997639.0000000007412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.332613138.0000000006203000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000002.427997639.0000000007412000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.332668572.0000000006212000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.332032257.000000000622E000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.331997347.000000000622D000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.332124047.000000000622E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000002.427997639.0000000007412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000002.427997639.0000000007412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.332032257.000000000622E000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.331997347.000000000622D000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.332124047.000000000622E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnz.
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000002.428587712.00000000074FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000002.428587712.00000000074FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000002.427997639.0000000007412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.333907905.000000000620B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334377911.0000000006203000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334521202.000000000620C000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334225674.0000000006209000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334024770.000000000620C000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.333907905.000000000620B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//lA
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334377911.0000000006203000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334521202.000000000620C000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334225674.0000000006209000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334024770.000000000620C000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.333907905.000000000620B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/6l8
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334521202.000000000620C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Dl&
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334377911.0000000006203000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334521202.000000000620C000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334225674.0000000006209000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/P
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334024770.000000000620C000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.333907905.000000000620B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Rl
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334377911.0000000006203000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334225674.0000000006209000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334521202.000000000620C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334377911.0000000006203000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Yl
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334521202.000000000620C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/i
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334225674.0000000006209000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/it-i
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334377911.0000000006203000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334521202.000000000620C000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334225674.0000000006209000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334521202.000000000620C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/=l/
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334521202.000000000620C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Yl
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334377911.0000000006203000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334521202.000000000620C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/wl
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.418922541.0000000006200000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000002.427852516.0000000006214000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.monotype.
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000002.427997639.0000000007412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000002.428587712.00000000074FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.331568930.000000000620E000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000002.427997639.0000000007412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000002.427997639.0000000007412000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.333387167.000000000620D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.333387167.000000000620D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comgo
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.333387167.000000000620D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comslnt
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.333387167.000000000620D000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.333614957.000000000620D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comt
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000002.427997639.0000000007412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000002.428587712.00000000074FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000002.427997639.0000000007412000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.333387167.000000000620D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.333387167.000000000620D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cna
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000002.420527964.00000000025F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000002.420527964.00000000025F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/
            Source: unknownDNS traffic detected: queries for: www.google.com
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 142.250.185.164:443 -> 192.168.2.4:49696 version: TLS 1.2
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000002.419784361.00000000008C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud

            barindex
            Yara detected Nanocore RAT
            Source: Yara matchFile source: 0.2.SFNM#U007e12345HBV-09876567.exe.372ecf2.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SFNM#U007e12345HBV-09876567.exe.382d230.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SFNM#U007e12345HBV-09876567.exe.37fa462.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SFNM#U007e12345HBV-09876567.exe.3761ae2.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SFNM#U007e12345HBV-09876567.exe.382d230.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SFNM#U007e12345HBV-09876567.exe.372ecf2.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SFNM#U007e12345HBV-09876567.exe.3761ae2.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SFNM#U007e12345HBV-09876567.exe.37fa462.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.425643462.00000000036FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.426014225.00000000037FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SFNM#U007e12345HBV-09876567.exe PID: 588, type: MEMORYSTR

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.372ecf2.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.372ecf2.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.372ecf2.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.372ecf2.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.382d230.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.382d230.5.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.382d230.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.382d230.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.37fa462.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.37fa462.4.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.37fa462.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.37fa462.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.3761ae2.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.382d230.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.382d230.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.382d230.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.382d230.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.3761ae2.2.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.3761ae2.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.3761ae2.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.372ecf2.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.3761ae2.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.372ecf2.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.372ecf2.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.372ecf2.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.3761ae2.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.3761ae2.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.3761ae2.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.37fa462.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.37fa462.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.37fa462.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.37fa462.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
            Source: 00000000.00000002.425643462.00000000036FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000000.00000002.425643462.00000000036FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000000.00000002.425643462.00000000036FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
            Source: 00000000.00000002.426014225.00000000037FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000000.00000002.426014225.00000000037FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000000.00000002.426014225.00000000037FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
            Source: Process Memory Space: SFNM#U007e12345HBV-09876567.exe PID: 588, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: Process Memory Space: SFNM#U007e12345HBV-09876567.exe PID: 588, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: Process Memory Space: SFNM#U007e12345HBV-09876567.exe PID: 588, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
            Source: SFNM#U007e12345HBV-09876567.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.372ecf2.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.372ecf2.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.372ecf2.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.372ecf2.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.372ecf2.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.382d230.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.382d230.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.382d230.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.382d230.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.382d230.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.37fa462.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.37fa462.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.37fa462.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.37fa462.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.37fa462.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.3761ae2.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.3761ae2.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.382d230.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.382d230.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.382d230.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.382d230.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.382d230.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.3761ae2.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.3761ae2.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.3761ae2.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.372ecf2.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.3761ae2.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.3761ae2.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.372ecf2.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.372ecf2.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.372ecf2.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.3761ae2.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.3761ae2.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.3761ae2.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.37fa462.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.37fa462.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.37fa462.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.37fa462.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0.2.SFNM#U007e12345HBV-09876567.exe.37fa462.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
            Source: 00000000.00000002.425643462.00000000036FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 00000000.00000002.425643462.00000000036FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000000.00000002.425643462.00000000036FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
            Source: 00000000.00000002.426014225.00000000037FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 00000000.00000002.426014225.00000000037FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000000.00000002.426014225.00000000037FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
            Source: Process Memory Space: SFNM#U007e12345HBV-09876567.exe PID: 588, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: Process Memory Space: SFNM#U007e12345HBV-09876567.exe PID: 588, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: Process Memory Space: SFNM#U007e12345HBV-09876567.exe PID: 588, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeCode function: 0_2_00D532F0
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeCode function: 0_2_00D586B0
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeCode function: 0_2_00D53918
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeCode function: 0_2_00D50A68
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeCode function: 0_2_00D56A20
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeCode function: 0_2_00D5BF48
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeCode function: 0_2_04BD4C50
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeCode function: 0_2_0791D188
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeCode function: 0_2_07918C4F
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeCode function: 0_2_07918C60
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeCode function: 0_2_079C6698
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeCode function: 0_2_079C7B50
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000002.426344952.0000000004D30000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamexnvi3838.dll2 vs SFNM#U007e12345HBV-09876567.exe
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000000.317508622.0000000000EA0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSFNM~12345HBV-09876567.exeH vs SFNM#U007e12345HBV-09876567.exe
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000002.419784361.00000000008C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SFNM#U007e12345HBV-09876567.exe
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000002.425246168.00000000035F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamexnvi3838.dll2 vs SFNM#U007e12345HBV-09876567.exe
            Source: SFNM#U007e12345HBV-09876567.exeBinary or memory string: OriginalFilenameSFNM~12345HBV-09876567.exeH vs SFNM#U007e12345HBV-09876567.exe
            Source: SFNM#U007e12345HBV-09876567.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SFNM~12345HBV-09876567.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "CHRIST,MARICERTYK" /t REG_SZ /d "C:\Users\user\Favorites\SFNM~12345HBV-09876567.exe"
            Source: Joe Sandbox ViewDropped File: C:\Users\user\Favorites\SFNM~12345HBV-09876567.exe 9CF831EC812B6928EB2FE0C9625DA78E8F294D6A5B255DDF894BBBE5B3F7698A
            Source: SFNM#U007e12345HBV-09876567.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: SFNM~12345HBV-09876567.exe.4.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: SFNM#U007e12345HBV-09876567.exeReversingLabs: Detection: 88%
            Source: SFNM#U007e12345HBV-09876567.exeVirustotal: Detection: 79%
            Source: SFNM#U007e12345HBV-09876567.exeMetadefender: Detection: 33%
            Source: SFNM#U007e12345HBV-09876567.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exe "C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exe"
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "CHRIST,MARICERTYK" /t REG_SZ /d "C:\Users\user\Favorites\SFNM~12345HBV-09876567.exe
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 38
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c ping 127.0.0.1 -n 41 > nul && copy "C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exe" "C:\Users\user\Favorites\SFNM~12345HBV-09876567.exe" && ping 127.0.0.1 -n 41 > nul && "C:\Users\user\Favorites\SFNM~12345HBV-09876567.exe
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 41
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "CHRIST,MARICERTYK" /t REG_SZ /d "C:\Users\user\Favorites\SFNM~12345HBV-09876567.exe"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 41
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "CHRIST,MARICERTYK" /t REG_SZ /d "C:\Users\user\Favorites\SFNM~12345HBV-09876567.exe
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c ping 127.0.0.1 -n 41 > nul && copy "C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exe" "C:\Users\user\Favorites\SFNM~12345HBV-09876567.exe" && ping 127.0.0.1 -n 41 > nul && "C:\Users\user\Favorites\SFNM~12345HBV-09876567.exe
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 38
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "CHRIST,MARICERTYK" /t REG_SZ /d "C:\Users\user\Favorites\SFNM~12345HBV-09876567.exe"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 41
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 41
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SFNM#U007e12345HBV-09876567.exe.logJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winEXE@15/6@1/3
            Source: SFNM#U007e12345HBV-09876567.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5928:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:972:120:WilError_01
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: SFNM#U007e12345HBV-09876567.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: SFNM#U007e12345HBV-09876567.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            Yara detected DarkTortilla Crypter
            Source: Yara matchFile source: 0.2.SFNM#U007e12345HBV-09876567.exe.372ecf2.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SFNM#U007e12345HBV-09876567.exe.37fa462.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SFNM#U007e12345HBV-09876567.exe.3761ae2.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SFNM#U007e12345HBV-09876567.exe.372ecf2.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SFNM#U007e12345HBV-09876567.exe.3761ae2.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SFNM#U007e12345HBV-09876567.exe.37fa462.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.420676515.0000000002643000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.425643462.00000000036FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.422453842.000000000293F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.426014225.00000000037FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SFNM#U007e12345HBV-09876567.exe PID: 588, type: MEMORYSTR
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: SFNM#U007e12345HBV-09876567.exe, Fr73/Wz97.cs.Net Code: NewLateBinding.LateCall(((TypeInfo)V_8).GetMethods()[0], null, "Invoke", new object[] { null, new object[0] }, null, null, null, true)
            Source: 0.0.SFNM#U007e12345HBV-09876567.exe.e10000.0.unpack, Fr73/Wz97.cs.Net Code: NewLateBinding.LateCall(((TypeInfo)V_8).GetMethods()[0], null, "Invoke", new object[] { null, new object[0] }, null, null, null, true)
            Source: SFNM~12345HBV-09876567.exe.4.dr, Fr73/Wz97.cs.Net Code: NewLateBinding.LateCall(((TypeInfo)V_8).GetMethods()[0], null, "Invoke", new object[] { null, new object[0] }, null, null, null, true)
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeCode function: 0_2_04BD580D push E905C65Eh; retf
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeCode function: 0_2_07916EE7 push ss; retf
            Source: initial sampleStatic PE information: section name: .text entropy: 6.851889706302912
            Source: initial sampleStatic PE information: section name: .text entropy: 6.851889706302912
            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Favorites\SFNM~12345HBV-09876567.exeJump to dropped file

            Boot Survival

            barindex
            Creates autostart registry keys with suspicious names
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run CHRIST,MARICERTYKJump to behavior
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run CHRIST,MARICERTYKJump to behavior
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run CHRIST,MARICERTYKJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeFile opened: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exe\:Zone.Identifier read attributes | delete
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Uses ping.exe to sleep
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 38
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 41
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 41
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 38
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 41
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 41
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exe TID: 5936Thread sleep time: -31359464925306218s >= -30000s
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exe TID: 5936Thread sleep time: -30000s >= -30000s
            Source: C:\Windows\SysWOW64\PING.EXE TID: 6084Thread sleep count: 37 > 30
            Source: C:\Windows\SysWOW64\PING.EXE TID: 6084Thread sleep time: -37000s >= -30000s
            Source: C:\Windows\SysWOW64\PING.EXE TID: 5296Thread sleep count: 39 > 30
            Source: C:\Windows\SysWOW64\PING.EXE TID: 5296Thread sleep time: -39000s >= -30000s
            Source: C:\Windows\SysWOW64\PING.EXE TID: 5952Thread sleep count: 32 > 30
            Source: C:\Windows\SysWOW64\PING.EXE TID: 5952Thread sleep time: -32000s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
            Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeWindow / User API: threadDelayed 9879
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess information queried: ProcessInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeThread delayed: delay time: 30000
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.327428788.0000000000935000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeMemory allocated: page read and write | page guard
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "CHRIST,MARICERTYK" /t REG_SZ /d "C:\Users\user\Favorites\SFNM~12345HBV-09876567.exe
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c ping 127.0.0.1 -n 41 > nul && copy "C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exe" "C:\Users\user\Favorites\SFNM~12345HBV-09876567.exe" && ping 127.0.0.1 -n 41 > nul && "C:\Users\user\Favorites\SFNM~12345HBV-09876567.exe
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 38
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "CHRIST,MARICERTYK" /t REG_SZ /d "C:\Users\user\Favorites\SFNM~12345HBV-09876567.exe"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 41
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 41
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exe VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Stealing of Sensitive Information

            barindex
            Yara detected Nanocore RAT
            Source: Yara matchFile source: 0.2.SFNM#U007e12345HBV-09876567.exe.372ecf2.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SFNM#U007e12345HBV-09876567.exe.382d230.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SFNM#U007e12345HBV-09876567.exe.37fa462.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SFNM#U007e12345HBV-09876567.exe.3761ae2.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SFNM#U007e12345HBV-09876567.exe.382d230.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SFNM#U007e12345HBV-09876567.exe.372ecf2.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SFNM#U007e12345HBV-09876567.exe.3761ae2.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SFNM#U007e12345HBV-09876567.exe.37fa462.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.425643462.00000000036FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.426014225.00000000037FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SFNM#U007e12345HBV-09876567.exe PID: 588, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Detected Nanocore Rat
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000002.425643462.00000000036FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
            Source: SFNM#U007e12345HBV-09876567.exe, 00000000.00000002.426014225.00000000037FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
            Yara detected Nanocore RAT
            Source: Yara matchFile source: 0.2.SFNM#U007e12345HBV-09876567.exe.372ecf2.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SFNM#U007e12345HBV-09876567.exe.382d230.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SFNM#U007e12345HBV-09876567.exe.37fa462.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SFNM#U007e12345HBV-09876567.exe.3761ae2.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SFNM#U007e12345HBV-09876567.exe.382d230.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SFNM#U007e12345HBV-09876567.exe.372ecf2.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SFNM#U007e12345HBV-09876567.exe.3761ae2.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SFNM#U007e12345HBV-09876567.exe.37fa462.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.425643462.00000000036FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.426014225.00000000037FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SFNM#U007e12345HBV-09876567.exe PID: 588, type: MEMORYSTR

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation11
            Registry Run Keys / Startup Folder            		11
            Process Injection            		1
            Masquerading            		1
            Input Capture            		11
            Security Software Discovery            		Remote Services1
            Input Capture            		Exfiltration Over Other Network Medium11
            Encrypted Channel            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts11
            Registry Run Keys / Startup Folder            		1
            Modify Registry            		LSASS Memory1
            Process Discovery            		Remote Desktop Protocol1
            Archive Collected Data            		Exfiltration Over Bluetooth1
            Remote Access Software            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
            Disable or Modify Tools            		Security Account Manager21
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
            Ingress Tool Transfer            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)21
            Virtualization/Sandbox Evasion            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureScheduled Transfer2
            Non-Application Layer Protocol            		SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script11
            Process Injection            		LSA Secrets11
            Remote System Discovery            		SSHKeyloggingData Transfer Size Limits13
            Application Layer Protocol            		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common1
            Hidden Files and Directories            		Cached Domain Credentials1
            System Network Configuration Discovery            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup Items3
            Obfuscated Files or Information            		DCSync12
            System Information Discovery            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job12
            Software Packing            		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 709714 Sample: SFNM#U007e12345HBV-09876567.exe Startdate: 26/09/2022 Architecture: WINDOWS Score: 100 44 Multi AV Scanner detection for domain / URL 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus detection for URL or domain 2->48 50 9 other signatures 2->50 7 SFNM#U007e12345HBV-09876567.exe 15 3 2->7         started        process3 dnsIp4 40 www.google.com 142.250.185.164, 443, 49696 GOOGLEUS United States 7->40 42 192.168.2.1 unknown unknown 7->42 32 C:\...\SFNM#U007e12345HBV-09876567.exe.log, ASCII 7->32 dropped 54 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->54 12 cmd.exe 1 7->12         started        15 cmd.exe 3 7->15         started        file5 signatures6 process7 file8 56 Uses ping.exe to sleep 12->56 58 Uses ping.exe to check the status of other devices and networks 12->58 18 reg.exe 1 1 12->18         started        21 PING.EXE 1 12->21         started        24 conhost.exe 12->24         started        34 C:\Users\user\...\SFNM~12345HBV-09876567.exe, PE32 15->34 dropped 36 SFNM~12345HBV-0987...exe:Zone.Identifier, ASCII 15->36 dropped 26 conhost.exe 15->26         started        28 PING.EXE 1 15->28         started        30 PING.EXE 1 15->30         started        signatures9 process10 dnsIp11 52 Creates autostart registry keys with suspicious names 18->52 38 127.0.0.1 unknown unknown 21->38 signatures12

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            SFNM#U007e12345HBV-09876567.exe88%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
            SFNM#U007e12345HBV-09876567.exe79%VirustotalBrowse
            SFNM#U007e12345HBV-09876567.exe33%MetadefenderBrowse
            SFNM#U007e12345HBV-09876567.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\Favorites\SFNM~12345HBV-09876567.exe100%Joe Sandbox ML
            C:\Users\user\Favorites\SFNM~12345HBV-09876567.exe88%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
            C:\Users\user\Favorites\SFNM~12345HBV-09876567.exe33%MetadefenderBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://ns.adobe.c/g0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.carterandcone.com0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.tiro.comslnt0%URL Reputationsafe
            http://ns.adobe.cobj0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/P0%URL Reputationsafe
            http://www.tiro.comt0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
            http://www.fontbureau.coma0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.carterandcone.comk0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.zhongyicts.com.cna0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/Y0/0%URL Reputationsafe
            http://www.monotype.0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/i0%URL Reputationsafe
            http://ns.ado/10%URL Reputationsafe
            http://www.tiro.comgo0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp//lA0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/it-i0%Avira URL Cloudsafe
            91.193.75.133100%Avira URL Cloudmalware
            9812.hopto.org100%Avira URL Cloudmalware
            91.193.75.13311%VirustotalBrowse
            http://www.founder.com.cn/cnz.0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/it-i0%VirustotalBrowse
            http://www.jiyu-kobo.co.jp/wl0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/jp/Yl0%Avira URL Cloudsafe
            http://www.carterandcone.como.-0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/Rl0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/Yl0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/6l80%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/Dl&0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/jp/=l/0%Avira URL Cloudsafe
            http://www.carterandcone.com_Z0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.google.com
            		142.250.185.164
            		truefalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              9812.hopto.orgtrue
              • Avira URL Cloud: malware
              		unknown
              91.193.75.133true
              • 11%, Virustotal, Browse
              • Avira URL Cloud: malware
              		unknown
              https://www.google.com/false
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.fontbureau.com/designersGSFNM#U007e12345HBV-09876567.exe, 00000000.00000002.428587712.00000000074FD000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.fontbureau.com/designers/?SFNM#U007e12345HBV-09876567.exe, 00000000.00000002.428587712.00000000074FD000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.founder.com.cn/cn/bTheSFNM#U007e12345HBV-09876567.exe, 00000000.00000002.427997639.0000000007412000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers?SFNM#U007e12345HBV-09876567.exe, 00000000.00000002.428587712.00000000074FD000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.tiro.comSFNM#U007e12345HBV-09876567.exe, 00000000.00000002.427997639.0000000007412000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.333387167.000000000620D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designersSFNM#U007e12345HBV-09876567.exe, 00000000.00000002.428587712.00000000074FD000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://ns.adobe.c/gSFNM#U007e12345HBV-09876567.exe, 00000000.00000003.418804128.0000000006248000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.419016717.000000000624E000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.340235301.0000000006244000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.goodfont.co.krSFNM#U007e12345HBV-09876567.exe, 00000000.00000002.427997639.0000000007412000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.carterandcone.comSFNM#U007e12345HBV-09876567.exe, 00000000.00000003.333387167.000000000620D000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.sajatypeworks.comSFNM#U007e12345HBV-09876567.exe, 00000000.00000002.427997639.0000000007412000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.typography.netDSFNM#U007e12345HBV-09876567.exe, 00000000.00000002.427997639.0000000007412000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://www.google.comSFNM#U007e12345HBV-09876567.exe, 00000000.00000002.420527964.00000000025F1000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/cTheSFNM#U007e12345HBV-09876567.exe, 00000000.00000002.427997639.0000000007412000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.galapagosdesign.com/staff/dennis.htmSFNM#U007e12345HBV-09876567.exe, 00000000.00000002.428587712.00000000074FD000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://fontfabrik.comSFNM#U007e12345HBV-09876567.exe, 00000000.00000002.427997639.0000000007412000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.tiro.comgoSFNM#U007e12345HBV-09876567.exe, 00000000.00000003.333387167.000000000620D000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/it-iSFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334225674.0000000006209000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.galapagosdesign.com/DPleaseSFNM#U007e12345HBV-09876567.exe, 00000000.00000002.428587712.00000000074FD000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/Y0SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334377911.0000000006203000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334225674.0000000006209000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fonts.comSFNM#U007e12345HBV-09876567.exe, 00000000.00000002.427997639.0000000007412000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.sandoll.co.krSFNM#U007e12345HBV-09876567.exe, 00000000.00000003.331568930.000000000620E000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000002.427997639.0000000007412000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.urwpp.deDPleaseSFNM#U007e12345HBV-09876567.exe, 00000000.00000002.428587712.00000000074FD000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.zhongyicts.com.cnSFNM#U007e12345HBV-09876567.exe, 00000000.00000002.427997639.0000000007412000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.333387167.000000000620D000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSFNM#U007e12345HBV-09876567.exe, 00000000.00000002.420527964.00000000025F1000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.sakkal.comSFNM#U007e12345HBV-09876567.exe, 00000000.00000002.428587712.00000000074FD000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp//lASFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334377911.0000000006203000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334521202.000000000620C000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334225674.0000000006209000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334024770.000000000620C000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.333907905.000000000620B000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.apache.org/licenses/LICENSE-2.0SFNM#U007e12345HBV-09876567.exe, 00000000.00000002.427997639.0000000007412000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.332961781.000000000621A000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.fontbureau.comSFNM#U007e12345HBV-09876567.exe, 00000000.00000003.418922541.0000000006200000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000002.428587712.00000000074FD000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.tiro.comslntSFNM#U007e12345HBV-09876567.exe, 00000000.00000003.333387167.000000000620D000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://ns.adobe.cobjSFNM#U007e12345HBV-09876567.exe, 00000000.00000003.343011143.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.342501858.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.418804128.0000000006248000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.340800596.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.419016717.000000000624E000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.340235301.0000000006244000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.342178988.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.341281240.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.340546586.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.343237476.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.341513125.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.342726715.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.341974759.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.341036444.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.343497885.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.341738243.000000000624F000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cnz.SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.332032257.000000000622E000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.331997347.000000000622D000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.332124047.000000000622E000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/PSFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334377911.0000000006203000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334521202.000000000620C000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334225674.0000000006209000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.tiro.comtSFNM#U007e12345HBV-09876567.exe, 00000000.00000003.333387167.000000000620D000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.333614957.000000000620D000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/wlSFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334377911.0000000006203000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334521202.000000000620C000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/RlSFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334024770.000000000620C000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.333907905.000000000620B000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/jp/SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334377911.0000000006203000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334521202.000000000620C000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334225674.0000000006209000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.comaSFNM#U007e12345HBV-09876567.exe, 00000000.00000003.418922541.0000000006200000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/jp/YlSFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334521202.000000000620C000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.carterandcone.comlSFNM#U007e12345HBV-09876567.exe, 00000000.00000002.427997639.0000000007412000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comkSFNM#U007e12345HBV-09876567.exe, 00000000.00000003.333387167.000000000620D000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlNSFNM#U007e12345HBV-09876567.exe, 00000000.00000002.428587712.00000000074FD000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cnSFNM#U007e12345HBV-09876567.exe, 00000000.00000003.332613138.0000000006203000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000002.427997639.0000000007412000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.332668572.0000000006212000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.332032257.000000000622E000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.331997347.000000000622D000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.332124047.000000000622E000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/frere-user.htmlSFNM#U007e12345HBV-09876567.exe, 00000000.00000002.428587712.00000000074FD000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.zhongyicts.com.cnaSFNM#U007e12345HBV-09876567.exe, 00000000.00000003.333387167.000000000620D000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/Y0/SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334521202.000000000620C000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.monotype.SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.418922541.0000000006200000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000002.427852516.0000000006214000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.carterandcone.como.-SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.333387167.000000000620D000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		low
                                      http://www.jiyu-kobo.co.jp/YlSFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334377911.0000000006203000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.333907905.000000000620B000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/iSFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334521202.000000000620C000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers8SFNM#U007e12345HBV-09876567.exe, 00000000.00000002.428587712.00000000074FD000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.jiyu-kobo.co.jp/6l8SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334377911.0000000006203000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334521202.000000000620C000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334225674.0000000006209000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334024770.000000000620C000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.333907905.000000000620B000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/jp/=l/SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334521202.000000000620C000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/Dl&SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.334521202.000000000620C000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.335070520.000000000621B000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.carterandcone.com_ZSFNM#U007e12345HBV-09876567.exe, 00000000.00000003.333387167.000000000620D000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		low
                                          http://ns.ado/1SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.343011143.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.342501858.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.418804128.0000000006248000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.340800596.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.419016717.000000000624E000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.340235301.0000000006244000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.342178988.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.341281240.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.340546586.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.343237476.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.341513125.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.342726715.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.341974759.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.341036444.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.343497885.000000000624F000.00000004.00000800.00020000.00000000.sdmp, SFNM#U007e12345HBV-09876567.exe, 00000000.00000003.341738243.000000000624F000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          142.250.185.164
                                          		www.google.comUnited States
                                          		15169GOOGLEUSfalse

                                          Private

                                          IP
                                          192.168.2.1
                                          127.0.0.1

                                          General Information

                                          Joe Sandbox Version:36.0.0 Rainbow Opal
                                          Analysis ID:709714
                                          Start date and time:2022-09-26 07:57:54 +02:00
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 6m 38s
                                          Hypervisor based Inspection enabled:false
                                          Report type:light
                                          Sample file name:SFNM#U007e12345HBV-09876567.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:15
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.evad.winEXE@15/6@1/3
                                          EGA Information:
                                          • Successful, ratio: 100%
                                          HDC Information:Failed
                                          HCA Information:
                                          • Successful, ratio: 91%
                                          • Number of executed functions: 0
                                          • Number of non-executed functions: 0
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          • Report size getting too big, too many NtReadVirtualMemory calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          07:59:09API Interceptor180x Sleep call for process: SFNM#U007e12345HBV-09876567.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          No context

                                          Domains

                                          No context

                                          ASNs

                                          No context

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SFNM#U007e12345HBV-09876567.exe.log

                                          Download File
                                          Process:C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1216
                                          Entropy (8bit):5.355304211458859
                                          Encrypted:false
                                          SSDEEP:24:MLU84qpE4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7GE4Kx1qE4KE4j:Mgv2HKXwYHKhQnoPtHoxHhAHKzvGHKxx
                                          MD5:6601BE2C4834904CD917BA61AE5C10E2
                                          SHA1:2AB6A81BFA9DC031F5D2538AB94FC99074AD5241
                                          SHA-256:85212C0C71D214CD899B0E3FDD41A1D149E44FEFA5DD42B419B2299BC6FCC34F
                                          SHA-512:2F825EC08F2A34A6540F862EDD948E5674D66C94E371C9EF3CDA0AA657E0A8EB8F6260A9EE7A582A1EC30C16CC8094ECC60F3406D2904A9AA0B38918205C5EA6
                                          Malicious:true
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutra

                                          C:\Users\user\Favorites\SFNM~12345HBV-09876567.exe

                                          Download File
                                          Process:C:\Windows\SysWOW64\cmd.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):769536
                                          Entropy (8bit):6.094150307159493
                                          Encrypted:false
                                          SSDEEP:12288:rJ26PbRFhkQ9Ki7cSFa9dWnSC8tLBL+TqZfs+fOrFCnT08KpfuJ:rBLhii7cl9gSCQV+Tq+FqSY
                                          MD5:54E31B7E289BEA078ED769A046C3842E
                                          SHA1:BF7D74CB34792B258F46E29221C4CBFF57BB6979
                                          SHA-256:9CF831EC812B6928EB2FE0C9625DA78E8F294D6A5B255DDF894BBBE5B3F7698A
                                          SHA-512:C59CE40F882F2B197A50C5127C49744101BC0F8376D414CD71750859B527377862BBC1D420DC9DAE756D1C772C1D99258FD4DC30B7D175CDC3E4E0DE168F5B38
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: ReversingLabs, Detection: 88%
                                          • Antivirus: Metadefender, Detection: 33%, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........................................ ........@.. ....................... ............`.....................................O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............G.............................................................o.s....<..2.a..`...04....<.L..+..N...A...7....e...\v.|.....[zJk=.E1...2.......e....y0...T.....[\}....?/[/&P.m{.!...-..F..].M...O".....F.....\.....9....k.".+.kU ({.e..:.....U.....[id..().D.s.EZ0.~..D.N....^?C..2.....%.zpF...Za5M....~4..4.^.8!..kUi..$..u.<R...,g~.&?.n.R.......wiW..R...X..Z..u..h..%.pI....,.}Tu..8.Y^A."sbBn..C..S.............j$.B.G.;.r8.7A.....N.!....8.b...m.J...6}.<T...{6

                                          C:\Users\user\Favorites\SFNM~12345HBV-09876567.exe:Zone.Identifier

                                          Download File
                                          Process:C:\Windows\SysWOW64\cmd.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:modified
                                          Size (bytes):26
                                          Entropy (8bit):3.95006375643621
                                          Encrypted:false
                                          SSDEEP:3:ggPYV:rPYV
                                          MD5:187F488E27DB4AF347237FE461A079AD
                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                          Malicious:true
                                          Preview:[ZoneTransfer]....ZoneId=0

                                          \Device\Null

                                          Download File
                                          Process:C:\Windows\SysWOW64\PING.EXE
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1661
                                          Entropy (8bit):4.623493426598425
                                          Encrypted:false
                                          SSDEEP:12:PKMRJpTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeT6:/Q
                                          MD5:C94F668E28CA2D6BBF8BAA3E56B85B6D
                                          SHA1:6DA56D02B8396C2F9931CD2DC125A03BEEEA8991
                                          SHA-256:CB52A56A1A7C12F7210FDB4EF2A89683F843B504C82C34CB32CD846C83273C0B
                                          SHA-512:D2F4EDBD67A70CB494577A94D35AB0835313305E0C5DDEE93E8665878677B961502564AC009F276D6E8F899132D685E771F21542FA26F9AB833C9B2345303DA6
                                          Malicious:false
                                          Preview:..Pinging 127.0.0.1 with 32 bytes of data:..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: byt

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):6.094150307159493
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          File name:SFNM#U007e12345HBV-09876567.exe
                                          File size:769536
                                          MD5:54e31b7e289bea078ed769a046c3842e
                                          SHA1:bf7d74cb34792b258f46e29221c4cbff57bb6979
                                          SHA256:9cf831ec812b6928eb2fe0c9625da78e8f294d6a5b255ddf894bbbe5b3f7698a
                                          SHA512:c59ce40f882f2b197a50c5127c49744101bc0f8376d414cd71750859b527377862bbc1d420dc9dae756d1c772c1d99258fd4dc30b7d175cdc3e4e0de168f5b38
                                          SSDEEP:12288:rJ26PbRFhkQ9Ki7cSFa9dWnSC8tLBL+TqZfs+fOrFCnT08KpfuJ:rBLhii7cl9gSCQV+Tq+FqSY
                                          TLSH:4EF4E18B73E4B931C03E33B265599275C3B1DDA68901CB5B18CC76DC7BBB2896B41683
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........................................ ........@.. ....................... ............`................................

                                          File Icon

                                          Icon Hash:2e5958b060c28490

                                          Static PE Info

                                          General

                                          Entrypoint:0x48f1fe
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                          Time Stamp:0xCDAF51F [Mon Nov 1 06:03:11 1976 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x8f1ac0x4f.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x900000x2e4ad.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xc00000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000x8d2040x8d400False0.7057383849557523data6.851889706302912IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rsrc0x900000x2e4ad0x2e600False0.28041294642857145data3.227757825341738IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0xc00000xc0x200False0.041015625data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountry
                                          RT_ICON0x902b00x57cbPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                          RT_ICON0x95a7c0x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 134217728, next used block 117440512
                                          RT_ICON0xa62a40x94a8data
                                          RT_ICON0xaf74c0x5488data
                                          RT_ICON0xb4bd40x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294961151, next used block 4294967295
                                          RT_ICON0xb8dfc0x25a8data
                                          RT_ICON0xbb3a40x10a8data
                                          RT_ICON0xbc44c0x988data
                                          RT_ICON0xbcdd40x468GLS_BINARY_LSB_FIRST
                                          RT_GROUP_ICON0xbd23c0x84data
                                          RT_VERSION0xbd2c00x3d8data
                                          RT_MANIFEST0xbd6980xe15XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Network Behavior

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Sep 26, 2022 07:58:57.350486040 CEST49696443192.168.2.4142.250.185.164
                                          Sep 26, 2022 07:58:57.350558996 CEST44349696142.250.185.164192.168.2.4
                                          Sep 26, 2022 07:58:57.350661993 CEST49696443192.168.2.4142.250.185.164
                                          Sep 26, 2022 07:58:57.418685913 CEST49696443192.168.2.4142.250.185.164
                                          Sep 26, 2022 07:58:57.418719053 CEST44349696142.250.185.164192.168.2.4
                                          Sep 26, 2022 07:58:57.472275972 CEST44349696142.250.185.164192.168.2.4
                                          Sep 26, 2022 07:58:57.472438097 CEST49696443192.168.2.4142.250.185.164
                                          Sep 26, 2022 07:58:57.498578072 CEST49696443192.168.2.4142.250.185.164
                                          Sep 26, 2022 07:58:57.498614073 CEST44349696142.250.185.164192.168.2.4
                                          Sep 26, 2022 07:58:57.498876095 CEST44349696142.250.185.164192.168.2.4
                                          Sep 26, 2022 07:58:57.547626972 CEST49696443192.168.2.4142.250.185.164
                                          Sep 26, 2022 07:58:58.448642969 CEST49696443192.168.2.4142.250.185.164
                                          Sep 26, 2022 07:58:58.491370916 CEST44349696142.250.185.164192.168.2.4
                                          Sep 26, 2022 07:58:58.518033981 CEST44349696142.250.185.164192.168.2.4
                                          Sep 26, 2022 07:58:58.518081903 CEST44349696142.250.185.164192.168.2.4
                                          Sep 26, 2022 07:58:58.518111944 CEST44349696142.250.185.164192.168.2.4
                                          Sep 26, 2022 07:58:58.518140078 CEST44349696142.250.185.164192.168.2.4
                                          Sep 26, 2022 07:58:58.518174887 CEST49696443192.168.2.4142.250.185.164
                                          Sep 26, 2022 07:58:58.518215895 CEST44349696142.250.185.164192.168.2.4
                                          Sep 26, 2022 07:58:58.518230915 CEST49696443192.168.2.4142.250.185.164
                                          Sep 26, 2022 07:58:58.519001961 CEST44349696142.250.185.164192.168.2.4
                                          Sep 26, 2022 07:58:58.519076109 CEST49696443192.168.2.4142.250.185.164
                                          Sep 26, 2022 07:58:58.519098997 CEST44349696142.250.185.164192.168.2.4
                                          Sep 26, 2022 07:58:58.520114899 CEST44349696142.250.185.164192.168.2.4
                                          Sep 26, 2022 07:58:58.520183086 CEST49696443192.168.2.4142.250.185.164
                                          Sep 26, 2022 07:58:58.520205975 CEST44349696142.250.185.164192.168.2.4
                                          Sep 26, 2022 07:58:58.521287918 CEST44349696142.250.185.164192.168.2.4
                                          Sep 26, 2022 07:58:58.521363020 CEST49696443192.168.2.4142.250.185.164
                                          Sep 26, 2022 07:58:58.521384954 CEST44349696142.250.185.164192.168.2.4
                                          Sep 26, 2022 07:58:58.522505999 CEST44349696142.250.185.164192.168.2.4
                                          Sep 26, 2022 07:58:58.522576094 CEST49696443192.168.2.4142.250.185.164
                                          Sep 26, 2022 07:58:58.522597075 CEST44349696142.250.185.164192.168.2.4
                                          Sep 26, 2022 07:58:58.537000895 CEST44349696142.250.185.164192.168.2.4
                                          Sep 26, 2022 07:58:58.537070990 CEST49696443192.168.2.4142.250.185.164
                                          Sep 26, 2022 07:58:58.537101984 CEST44349696142.250.185.164192.168.2.4
                                          Sep 26, 2022 07:58:58.537329912 CEST44349696142.250.185.164192.168.2.4
                                          Sep 26, 2022 07:58:58.537379026 CEST49696443192.168.2.4142.250.185.164
                                          Sep 26, 2022 07:58:58.537394047 CEST44349696142.250.185.164192.168.2.4
                                          Sep 26, 2022 07:58:58.539891958 CEST44349696142.250.185.164192.168.2.4
                                          Sep 26, 2022 07:58:58.539928913 CEST44349696142.250.185.164192.168.2.4
                                          Sep 26, 2022 07:58:58.540015936 CEST49696443192.168.2.4142.250.185.164
                                          Sep 26, 2022 07:58:58.540049076 CEST44349696142.250.185.164192.168.2.4
                                          Sep 26, 2022 07:58:58.540098906 CEST49696443192.168.2.4142.250.185.164
                                          Sep 26, 2022 07:58:58.540958881 CEST44349696142.250.185.164192.168.2.4
                                          Sep 26, 2022 07:58:58.542149067 CEST44349696142.250.185.164192.168.2.4
                                          Sep 26, 2022 07:58:58.542232990 CEST49696443192.168.2.4142.250.185.164
                                          Sep 26, 2022 07:58:58.542253971 CEST44349696142.250.185.164192.168.2.4
                                          Sep 26, 2022 07:58:58.543391943 CEST44349696142.250.185.164192.168.2.4
                                          Sep 26, 2022 07:58:58.543428898 CEST44349696142.250.185.164192.168.2.4
                                          Sep 26, 2022 07:58:58.543483019 CEST49696443192.168.2.4142.250.185.164
                                          Sep 26, 2022 07:58:58.543512106 CEST44349696142.250.185.164192.168.2.4
                                          Sep 26, 2022 07:58:58.543555975 CEST49696443192.168.2.4142.250.185.164
                                          Sep 26, 2022 07:58:58.544575930 CEST44349696142.250.185.164192.168.2.4
                                          Sep 26, 2022 07:58:58.545723915 CEST44349696142.250.185.164192.168.2.4
                                          Sep 26, 2022 07:58:58.545757055 CEST44349696142.250.185.164192.168.2.4
                                          Sep 26, 2022 07:58:58.545834064 CEST49696443192.168.2.4142.250.185.164
                                          Sep 26, 2022 07:58:58.545862913 CEST44349696142.250.185.164192.168.2.4
                                          Sep 26, 2022 07:58:58.545909882 CEST49696443192.168.2.4142.250.185.164
                                          Sep 26, 2022 07:58:58.546937943 CEST44349696142.250.185.164192.168.2.4
                                          Sep 26, 2022 07:58:58.548094034 CEST44349696142.250.185.164192.168.2.4
                                          Sep 26, 2022 07:58:58.548125982 CEST44349696142.250.185.164192.168.2.4
                                          Sep 26, 2022 07:58:58.548190117 CEST49696443192.168.2.4142.250.185.164
                                          Sep 26, 2022 07:58:58.548218966 CEST44349696142.250.185.164192.168.2.4
                                          Sep 26, 2022 07:58:58.548264980 CEST49696443192.168.2.4142.250.185.164
                                          Sep 26, 2022 07:58:58.549196005 CEST44349696142.250.185.164192.168.2.4
                                          Sep 26, 2022 07:58:58.550570011 CEST44349696142.250.185.164192.168.2.4
                                          Sep 26, 2022 07:58:58.550606012 CEST44349696142.250.185.164192.168.2.4
                                          Sep 26, 2022 07:58:58.550658941 CEST49696443192.168.2.4142.250.185.164
                                          Sep 26, 2022 07:58:58.550690889 CEST44349696142.250.185.164192.168.2.4
                                          Sep 26, 2022 07:58:58.550709009 CEST44349696142.250.185.164192.168.2.4
                                          Sep 26, 2022 07:58:58.550738096 CEST49696443192.168.2.4142.250.185.164
                                          Sep 26, 2022 07:58:58.550770998 CEST49696443192.168.2.4142.250.185.164
                                          Sep 26, 2022 07:58:58.553805113 CEST49696443192.168.2.4142.250.185.164

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Sep 26, 2022 07:58:57.299617052 CEST5657253192.168.2.48.8.8.8
                                          Sep 26, 2022 07:58:57.319142103 CEST53565728.8.8.8192.168.2.4

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Sep 26, 2022 07:58:57.299617052 CEST192.168.2.48.8.8.80x1d06Standard query (0)www.google.comA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Sep 26, 2022 07:58:57.319142103 CEST8.8.8.8192.168.2.40x1d06No error (0)www.google.com142.250.185.164A (IP address)IN (0x0001)false

                                          HTTP Request Dependency Graph

                                          • www.google.com

                                          HTTPS Proxied Packets

                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          0192.168.2.449696142.250.185.164443C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exe
                                          TimestampkBytes transferredDirectionData
                                          2022-09-26 05:58:58 UTC0OUTGET / HTTP/1.1
                                          Host: www.google.com
                                          Connection: Keep-Alive
                                          2022-09-26 05:58:58 UTC0INHTTP/1.1 200 OK
                                          Date: Mon, 26 Sep 2022 05:58:58 GMT
                                          Expires: -1
                                          Cache-Control: private, max-age=0
                                          Content-Type: text/html; charset=ISO-8859-1
                                          P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                          Server: gws
                                          X-XSS-Protection: 0
                                          X-Frame-Options: SAMEORIGIN
                                          Set-Cookie: AEC=AakniGP5wxLmHrrGmHRZoxmZ-Bc9wzeNfU7VsEiFYh4Fkv3djam3lXq2_xc; expires=Sat, 25-Mar-2023 05:58:58 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                          Set-Cookie: __Secure-ENID=7.SE=aeOWZeBIWKoBaPSjTXXCOiV1fAF4U2lbBECcVosoLtWooqOPKwFGbuF7N29a99QJ5wMWCQKTEtiXIw2P4dEx0tD6lGJQ9PYK1CJCeWQI0DA1AR0dAdKtdNttUFnAswnM4A_v-qbooPldBzNuet-eq0E1tcsAJjMTyGjLskkdFNc; expires=Thu, 26-Oct-2023 22:17:16 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                          Set-Cookie: CONSENT=PENDING+312; expires=Wed, 25-Sep-2024 05:58:58 GMT; path=/; domain=.google.com; Secure
                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                          Accept-Ranges: none
                                          Vary: Accept-Encoding
                                          Connection: close
                                          Transfer-Encoding: chunked
                                          2022-09-26 05:58:58 UTC1INData Raw: 35 36 39 61 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 47 42 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 3c 6d 65 74 61 20 63 6f 6e
                                          Data Ascii: 569a<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en-GB"><head><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta con
                                          2022-09-26 05:58:58 UTC1INData Raw: 74 65 6e 74 3d 22 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 67 2f 31 78 2f 67 6f 6f 67 6c 65 67 5f 73 74 61 6e 64 61 72 64 5f 63 6f 6c 6f 72 5f 31 32 38 64 70 2e 70 6e 67 22 20 69 74 65 6d 70 72 6f 70 3d 22 69 6d 61 67 65 22 3e 3c 74 69 74 6c 65 3e 47 6f 6f 67 6c 65 3c 2f 74 69 74 6c 65 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 62 67 39 79 35 4f 76 57 64 43 63 4b 48 5a 70 76 59 59 72 34 37 51 22 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 3d 7b 6b 45 49 3a 27 6f 6a 38 78 59 36 57 48 48 49 75 50 39 75 38 50 79 62 79 61 79 41 34 27 2c 6b 45 58 50 49 3a 27 30 2c 32 30 32 35 32 36 2c 31 31 30 30 30 31 30 2c 35 36 38 37 33 2c 36 30 35 38 2c 32 30 37 2c 34 38 30 34 2c 32 33 31 36 2c 33 38 33 2c
                                          Data Ascii: tent="/images/branding/googleg/1x/googleg_standard_color_128dp.png" itemprop="image"><title>Google</title><script nonce="bg9y5OvWdCcKHZpvYYr47Q">(function(){window.google={kEI:'oj8xY6WHHIuP9u8PybyayA4',kEXPI:'0,202526,1100010,56873,6058,207,4804,2316,383,
                                          2022-09-26 05:58:58 UTC2INData Raw: 31 35 35 37 2c 31 31 38 30 31 31 36 2c 31 39 36 34 2c 33 30 39 34 2c 31 33 35 37 38 2c 33 34 30 36 2c 35 35 34 33 2c 34 37 34 31 2c 31 33 35 37 38 38 35 2c 31 37 31 37 32 27 2c 6b 42 4c 3a 27 78 39 56 45 27 7d 3b 67 6f 6f 67 6c 65 2e 73 6e 3d 27 77 65 62 68 70 27 3b 67 6f 6f 67 6c 65 2e 6b 48 4c 3d 27 65 6e 2d 47 42 27 3b 7d 29 28 29 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0a 76 61 72 20 66 3d 74 68 69 73 7c 7c 73 65 6c 66 3b 76 61 72 20 68 2c 6b 3d 5b 5d 3b 66 75 6e 63 74 69 6f 6e 20 6c 28 61 29 7b 66 6f 72 28 76 61 72 20 62 3b 61 26 26 28 21 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 7c 7c 21 28 62 3d 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 65 69 64 22 29 29 29 3b 29 61 3d 61 2e 70 61 72 65 6e 74 4e 6f 64 65 3b 72 65 74 75 72 6e 20 62 7c 7c 68 7d
                                          Data Ascii: 1557,1180116,1964,3094,13578,3406,5543,4741,1357885,17172',kBL:'x9VE'};google.sn='webhp';google.kHL='en-GB';})();(function(){var f=this||self;var h,k=[];function l(a){for(var b;a&&(!a.getAttribute||!(b=a.getAttribute("eid")));)a=a.parentNode;return b||h}
                                          2022-09-26 05:58:58 UTC3INData Raw: 6e 28 61 2c 62 2c 63 29 7b 67 6f 6f 67 6c 65 2e 6c 71 2e 70 75 73 68 28 5b 5b 61 5d 2c 62 2c 63 5d 29 7d 3b 67 6f 6f 67 6c 65 2e 6c 6f 61 64 41 6c 6c 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 67 6f 6f 67 6c 65 2e 6c 71 2e 70 75 73 68 28 5b 61 2c 62 5d 29 7d 3b 67 6f 6f 67 6c 65 2e 62 78 3d 21 31 3b 67 6f 6f 67 6c 65 2e 6c 78 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 3b 7d 29 2e 63 61 6c 6c 28 74 68 69 73 29 3b 67 6f 6f 67 6c 65 2e 66 3d 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0a 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 22 73 75 62 6d 69 74 22 2c 66 75 6e 63 74 69 6f 6e 28 62 29 7b 76 61 72 20 61 3b 69 66 28 61 3d 62 2e 74 61 72 67 65 74 29 7b 76 61 72 20 63 3d 61 2e
                                          Data Ascii: n(a,b,c){google.lq.push([[a],b,c])};google.loadAll=function(a,b){google.lq.push([a,b])};google.bx=!1;google.lx=function(){};}).call(this);google.f={};(function(){document.documentElement.addEventListener("submit",function(b){var a;if(a=b.target){var c=a.
                                          2022-09-26 05:58:58 UTC5INData Raw: 7d 23 67 62 62 77 7b 6c 65 66 74 3a 30 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 74 6f 70 3a 33 30 70 78 3b 77 69 64 74 68 3a 31 30 30 25 7d 2e 67 62 74 63 62 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 76 69 73 69 62 69 6c 69 74 79 3a 68 69 64 64 65 6e 7d 23 67 62 7a 20 2e 67 62 74 63 62 7b 72 69 67 68 74 3a 30 7d 23 67 62 67 20 2e 67 62 74 63 62 7b 6c 65 66 74 3a 30 7d 2e 67 62 78 78 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 78 6f 7b 6f 70 61 63 69 74 79 3a 30 20 21 69 6d 70 6f 72 74 61 6e 74 3b 66 69 6c 74 65 72 3a 61 6c 70 68 61 28 6f 70 61 63 69 74 79 3d 30 29 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 6d 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 7a 2d 69 6e 64 65
                                          Data Ascii: }#gbbw{left:0;position:absolute;top:30px;width:100%}.gbtcb{position:absolute;visibility:hidden}#gbz .gbtcb{right:0}#gbg .gbtcb{left:0}.gbxx{display:none !important}.gbxo{opacity:0 !important;filter:alpha(opacity=0) !important}.gbm{position:absolute;z-inde
                                          2022-09-26 05:58:58 UTC6INData Raw: 62 6d 63 2c 2e 67 62 6d 63 63 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 6c 69 73 74 2d 73 74 79 6c 65 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 2e 67 62 6d 63 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 20 30 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7a 2d 69 6e 64 65 78 3a 32 3b 7a 6f 6f 6d 3a 31 7d 2e 67 62 74 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 69 6e 6c 69 6e 65 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 37 70 78 3b 70 61 64 64 69 6e 67 3a 30 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 74 6f 70 7d 2e 67 62 74 7b 2a 64 69 73
                                          Data Ascii: bmc,.gbmcc{display:block;list-style:none;margin:0;padding:0}.gbmc{background:#fff;padding:10px 0;position:relative;z-index:2;zoom:1}.gbt{position:relative;display:-moz-inline-box;display:inline-block;line-height:27px;padding:0;vertical-align:top}.gbt{*dis
                                          2022-09-26 05:58:58 UTC7INData Raw: 73 2c 2e 67 62 67 74 2d 68 76 72 2c 2e 67 62 67 74 3a 66 6f 63 75 73 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 63 34 63 34 63 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6e 6f 6e 65 3b 5f 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6e 6f 6e 65 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 30 20 2d 31 30 32 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 72 65 70 65 61 74 2d 78 3b 6f 75 74 6c 69 6e 65 3a 6e 6f 6e 65 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 70 64 6a 73 20 2e 67 62 74 6f 20 2e 67 62 6d 7b 6d 69 6e 2d 77 69 64 74 68 3a 39 39 25 7d 2e 67 62 7a 30 6c 20 2e 67 62 74 62 32 7b 62 6f 72 64 65 72 2d 74 6f 70 2d 63 6f
                                          Data Ascii: s,.gbgt-hvr,.gbgt:focus{background-color:#4c4c4c;background-image:none;_background-image:none;background-position:0 -102px;background-repeat:repeat-x;outline:none;text-decoration:none !important}.gbpdjs .gbto .gbm{min-width:99%}.gbz0l .gbtb2{border-top-co
                                          2022-09-26 05:58:58 UTC8INData Raw: 36 70 78 20 2d 32 32 70 78 7d 2e 67 62 6e 20 2e 67 62 6d 74 2c 2e 67 62 6e 20 2e 67 62 6d 74 3a 76 69 73 69 74 65 64 2c 2e 67 62 6e 64 20 2e 67 62 6d 74 2c 2e 67 62 6e 64 20 2e 67 62 6d 74 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 64 64 38 65 32 37 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 66 20 2e 67 62 6d 74 2c 2e 67 62 66 20 2e 67 62 6d 74 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 39 30 30 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 6d 74 2c 2e 67 62 6d 6c 31 2c 2e 67 62 6d 6c 62 2c 2e 67 62 6d 74 3a 76 69 73 69 74 65 64 2c 2e 67 62 6d 6c 31 3a 76 69 73 69 74 65 64 2c 2e 67 62 6d 6c 62 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 33 36 63 20 21 69 6d 70 6f 72 74 61 6e 74 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65
                                          Data Ascii: 6px -22px}.gbn .gbmt,.gbn .gbmt:visited,.gbnd .gbmt,.gbnd .gbmt:visited{color:#dd8e27 !important}.gbf .gbmt,.gbf .gbmt:visited{color:#900 !important}.gbmt,.gbml1,.gbmlb,.gbmt:visited,.gbml1:visited,.gbmlb:visited{color:#36c !important;text-decoration:none
                                          2022-09-26 05:58:58 UTC10INData Raw: 3a 30 20 32 70 78 20 34 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 32 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 32 70 78 20 34 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 32 29 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7a 2d 69 6e 64 65 78 3a 31 7d 23 67 62 64 34 20 2e 67 62 6d 68 7b 6d 61 72 67 69 6e 3a 30 7d 2e 67 62 6d 74 63 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 37 70 78 7d 2e 47 42 4d 43 43 3a 6c 61 73 74 2d 63 68 69 6c 64 3a 61 66 74 65 72 2c 23 47 42 4d 50 41 4c 3a 6c 61 73 74 2d 63 68 69 6c 64 3a 61 66 74 65 72 7b 63 6f 6e 74 65 6e 74 3a 27 5c 30 41 5c 30 41 27 3b 77 68 69 74 65 2d 73 70 61 63 65 3a 70 72 65 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65
                                          Data Ascii: :0 2px 4px rgba(0,0,0,.12);box-shadow:0 2px 4px rgba(0,0,0,.12);position:relative;z-index:1}#gbd4 .gbmh{margin:0}.gbmtc{padding:0;margin:0;line-height:27px}.GBMCC:last-child:after,#GBMPAL:last-child:after{content:'\0A\0A';white-space:pre;position:absolute
                                          2022-09-26 05:58:58 UTC11INData Raw: 66 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 37 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 20 32 30 70 78 20 30 3b 77 68 69 74 65 2d 73 70 61 63 65 3a 6e 6f 77 72 61 70 7d 2e 67 62 6d 70 61 6c 61 7b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 30 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 6c 65 66 74 7d 2e 67 62 6d 70 61 6c 62 7b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 72 69 67 68 74 7d 23 67 62 6d 70 61 73 62 20 2e 67 62 70 73 7b 63 6f 6c 6f 72 3a 23 30 30 30 7d 23 67 62 6d 70 61 6c 20 2e 67 62 71 66 62 62 7b 6d 61 72 67 69 6e 3a 30 20 32 30 70 78 7d 2e 67 62 70 30 20 2e 67 62 70 73 7b 2a 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 7d 61 2e 67 62 69 62 61 7b 6d 61 72 67 69 6e 3a 38 70 78 20 32 30 70 78 20 31 30 70 78 7d 2e 67
                                          Data Ascii: f;line-height:27px;padding:10px 20px 0;white-space:nowrap}.gbmpala{padding-left:0;text-align:left}.gbmpalb{padding-right:0;text-align:right}#gbmpasb .gbps{color:#000}#gbmpal .gbqfbb{margin:0 20px}.gbp0 .gbps{*display:inline}a.gbiba{margin:8px 20px 10px}.g
                                          2022-09-26 05:58:58 UTC12INData Raw: 20 30 20 31 70 78 20 23 66 66 66 2c 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 7d 2e 67 62 71 66 62 2d 6e 6f 2d 66 6f 63 75 73 3a 66 6f 63 75 73 7b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 37 39 65 64 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 6e 6f 6e 65 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 6e 6f 6e 65 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 6e 6f 6e 65 7d 2e 67 62 71 66 62 2d 68 76 72 2c 2e 67 62 71 66 62 61 2d 68 76 72 2c 2e 67 62 71 66 62 62 2d 68 76 72 7b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28
                                          Data Ascii: 0 1px #fff,0 1px 1px rgba(0,0,0,.1)}.gbqfb-no-focus:focus{border:1px solid #3079ed;-moz-box-shadow:none;-webkit-box-shadow:none;box-shadow:none}.gbqfb-hvr,.gbqfba-hvr,.gbqfbb-hvr{-webkit-box-shadow:0 1px 1px rgba(0,0,0,.1);-moz-box-shadow:0 1px 1px rgba(
                                          2022-09-26 05:58:58 UTC14INData Raw: 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 33 35 37 61 65 38 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6d 6f 7a 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 33 35 37 61 65 38 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6d 73 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 33 35 37 61 65 38 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6f 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 33 35 37 61 65 38 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 33 35 37 61 65 38 29
                                          Data Ascii: adient(top,#4d90fe,#357ae8);background-image:-moz-linear-gradient(top,#4d90fe,#357ae8);background-image:-ms-linear-gradient(top,#4d90fe,#357ae8);background-image:-o-linear-gradient(top,#4d90fe,#357ae8);background-image:linear-gradient(top,#4d90fe,#357ae8)
                                          2022-09-26 05:58:58 UTC15INData Raw: 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 66 38 66 38 66 38 2c 23 66 31 66 31 66 31 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 66 38 66 38 66 38 2c 23 66 31 66 31 66 31 29 3b 66 69 6c 74 65 72 3a 70 72 6f 67 69 64 3a 44 58 49 6d 61 67 65 54 72 61 6e 73 66 6f 72 6d 2e 4d 69 63 72 6f 73 6f 66 74 2e 67 72 61 64 69 65 6e 74 28 73 74 61 72 74 43 6f 6c 6f 72 53 74 72 3d 27 23 66 38 66 38 66 38 27 2c 45 6e 64 43 6f 6c 6f 72 53 74 72 3d 27 23 66 31 66 31 66 31 27 29 7d 2e 67 62 71 66 62 62 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 66 66 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 77 65 62 6b 69 74 2d 67 72 61 64 69 65 6e 74 28 6c 69 6e 65 61 72 2c 6c
                                          Data Ascii: r-gradient(top,#f8f8f8,#f1f1f1);background-image:linear-gradient(top,#f8f8f8,#f1f1f1);filter:progid:DXImageTransform.Microsoft.gradient(startColorStr='#f8f8f8',EndColorStr='#f1f1f1')}.gbqfbb{background-color:#fff;background-image:-webkit-gradient(linear,l
                                          2022-09-26 05:58:58 UTC16INData Raw: 2c 2e 31 29 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 63 6f 6c 6f 72 3a 23 32 32 32 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 71 66 62 61 3a 61 63 74 69 76 65 2c 2e 67 62 71 66 62 62 3a 61 63 74 69 76 65 7b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 31 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 31 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 31 70 78 20 32
                                          Data Ascii: ,.1);-moz-box-shadow:0 1px 1px rgba(0,0,0,.1);box-shadow:0 1px 1px rgba(0,0,0,.1);color:#222 !important}.gbqfba:active,.gbqfbb:active{-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,.1);-moz-box-shadow:inset 0 1px 2px rgba(0,0,0,.1);box-shadow:inset 0 1px 2
                                          2022-09-26 05:58:58 UTC17INData Raw: 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 72 67 62 61 28 30 2c 30 2c 30 2c 2e 33 29 3b 74 6f 70 3a 30 7d 2e 67 62 73 62 20 2e 67 62 73 62 62 7b 2d 77 65 62 6b 69 74 2d 6d 61 73 6b 2d 62 6f 78 2d 69 6d 61 67 65 3a 2d 77 65 62 6b 69 74 2d 67 72 61 64 69 65 6e 74 28 6c 69 6e 65 61 72 2c 6c 65 66 74 20 74 6f 70 2c 72 69 67 68 74 20 74 6f 70 2c 63 6f 6c 6f 72 2d 73 74 6f 70 28 30 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 29 2c 63 6f 6c 6f 72 2d 73 74 6f 70 28 2e 35 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 38 29 29 2c 63 6f 6c 6f 72 2d 73 74 6f 70 28 31 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 29 29 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 2d 77 65 62 6b 69 74 2d 67 72 61 64 69 65 6e 74 28 6c 69 6e 65 61 72 2c 6c 65 66 74 20 62 6f 74 74 6f 6d 2c 6c 65 66 74 20
                                          Data Ascii: ;border-color:rgba(0,0,0,.3);top:0}.gbsb .gbsbb{-webkit-mask-box-image:-webkit-gradient(linear,left top,right top,color-stop(0,rgba(0,0,0,.1)),color-stop(.5,rgba(0,0,0,.8)),color-stop(1,rgba(0,0,0,.1)));background:-webkit-gradient(linear,left bottom,left
                                          2022-09-26 05:58:58 UTC19INData Raw: 76 65 7b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 7d 2e 66 6c 20 61 7b 63 6f 6c 6f 72 3a 23 31 35 35 38 64 36 7d 61 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 34 62 31 31 61 38 7d 2e 73 62 6c 63 7b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 35 70 78 7d 2e 73 62 6c 63 20 61 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 6d 61 72 67 69 6e 3a 32 70 78 20 30 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 31 33 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 31 70 78 7d 2e 6c 73 62 62 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 38 66 39 66 61 3b 62 6f 72 64 65 72 3a 73 6f 6c 69 64 20 31 70 78 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 64 61 64 63 65 30 20 23 37 30 37 35 37 61 20 23 37 30 37 35 37 61 20 23 64 61 64 63 65 30 3b 68 65 69 67 68 74
                                          Data Ascii: ve{text-decoration:underline}.fl a{color:#1558d6}a:visited{color:#4b11a8}.sblc{padding-top:5px}.sblc a{display:block;margin:2px 0;margin-left:13px;font-size:11px}.lsbb{background:#f8f9fa;border:solid 1px;border-color:#dadce0 #70757a #70757a #dadce0;height
                                          2022-09-26 05:58:58 UTC20INData Raw: 28 65 3d 33 29 2c 63 2b 3d 22 26 73 63 72 69 70 74 3d 22 2b 62 28 67 29 2c 66 26 26 67 3d 3d 3d 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 26 26 28 66 3d 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2e 6f 75 74 65 72 48 54 4d 4c 2e 73 70 6c 69 74 28 22 5c 6e 22 29 5b 66 5d 2c 63 2b 3d 22 26 63 61 64 3d 22 2b 62 28 66 3f 66 2e 73 75 62 73 74 72 69 6e 67 28 30 2c 33 30 30 29 3a 22 4e 6f 20 73 63 72 69 70 74 20 66 6f 75 6e 64 2e 22 29 29 29 3b 63 2b 3d 22 26 6a 73 65 6c 3d 22 2b 65 3b 66 6f 72 28 76 61 72 20 75 20 69 6e 20 64 29 63 2b 3d 22 26 22 2c 63 2b 3d 62 28 75 29 2c 63 2b 3d 22 3d 22 2c 63 2b 3d 62 28 64 5b 75 5d 29 3b 63 3d 63 2b 22 26 65 6d 73 67 3d 22 2b 62 28 61 2e 6e 61 6d 65 2b 22 3a 20 22 2b 61 2e 6d
                                          Data Ascii: (e=3),c+="&script="+b(g),f&&g===window.location.href&&(f=document.documentElement.outerHTML.split("\n")[f],c+="&cad="+b(f?f.substring(0,300):"No script found.")));c+="&jsel="+e;for(var u in d)c+="&",c+=b(u),c+="=",c+=b(d[u]);c=c+"&emsg="+b(a.name+": "+a.m
                                          2022-09-26 05:58:58 UTC21INData Raw: 74 74 61 63 68 45 76 65 6e 74 29 61 2e 61 74 74 61 63 68 45 76 65 6e 74 28 64 2c 63 29 3b 65 6c 73 65 7b 76 61 72 20 66 3d 61 5b 64 5d 3b 61 5b 64 5d 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 6b 3d 66 2e 61 70 70 6c 79 28 74 68 69 73 2c 61 72 67 75 6d 65 6e 74 73 29 2c 6c 3d 63 2e 61 70 70 6c 79 28 74 68 69 73 2c 61 72 67 75 6d 65 6e 74 73 29 3b 72 65 74 75 72 6e 20 76 6f 69 64 20 30 3d 3d 6b 3f 6c 3a 76 6f 69 64 20 30 3d 3d 6c 3f 6b 3a 6c 26 26 6b 7d 7d 7d 76 61 72 20 64 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 67 2e 62 76 2e 6d 3d 3d 61 7d 7d 2c 65 61 3d 64 61 28 31 29 2c 66 61 3d 64 61 28 32 29 3b 70 28 22 73 62 22 2c 65 61 29 3b 70 28 22 6b 6e 22 2c 66 61 29 3b 68 2e 61
                                          Data Ascii: ttachEvent)a.attachEvent(d,c);else{var f=a[d];a[d]=function(){var k=f.apply(this,arguments),l=c.apply(this,arguments);return void 0==k?l:void 0==l?k:l&&k}}}var da=function(a){return function(){return g.bv.m==a}},ea=da(1),fa=da(2);p("sb",ea);p("kn",fa);h.a
                                          2022-09-26 05:58:58 UTC22INData Raw: 66 35 0d 0a 7c 7c 62 5b 31 5d 2e 73 7c 7c 28 62 5b 31 5d 2e 73 3d 21 30 2c 72 61 28 32 2c 61 29 2c 62 5b 31 5d 2e 75 72 6c 26 26 71 61 28 62 5b 31 5d 2e 75 72 6c 2c 61 29 2c 62 5b 31 5d 2e 6c 69 62 73 26 26 44 26 26 44 28 62 5b 31 5d 2e 6c 69 62 73 29 29 7d 2c 74 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 42 28 22 67 63 22 2c 61 29 7d 2c 75 61 3d 6e 75 6c 6c 2c 76 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 75 61 3d 61 7d 2c 72 61 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 69 66 28 75 61 29 7b 61 3d 7b 74 3a 61 2c 62 3a 62 7d 3b 69 66 28 63 29 66 6f 72 28 76 61 72 20 64 20 69 6e 20 63 29 61 5b 64 5d 3d 63 5b 64 5d 3b 74 72 79 7b 75 61 28 61 29 7d 63 61 74 63 68 28 66 29 7b 7d 7d 7d 3b 70 28 22 6d 64 63 22 2c 77 29 3b 70 28 22 6d 64 0d 0a
                                          Data Ascii: f5||b[1].s||(b[1].s=!0,ra(2,a),b[1].url&&qa(b[1].url,a),b[1].libs&&D&&D(b[1].libs))},ta=function(a){B("gc",a)},ua=null,va=function(a){ua=a},ra=function(a,b,c){if(ua){a={t:a,b:b};if(c)for(var d in c)a[d]=c[d];try{ua(a)}catch(f){}}};p("mdc",w);p("md
                                          2022-09-26 05:58:58 UTC23INData Raw: 36 35 66 38 0d 0a 69 22 2c 6b 61 29 3b 70 28 22 62 6e 63 22 2c 78 29 3b 70 28 22 71 47 43 22 2c 74 61 29 3b 70 28 22 71 6d 22 2c 43 29 3b 70 28 22 71 64 22 2c 41 29 3b 70 28 22 6c 62 22 2c 73 61 29 3b 70 28 22 6d 63 66 22 2c 6f 61 29 3b 70 28 22 62 63 66 22 2c 6e 61 29 3b 70 28 22 61 71 22 2c 42 29 3b 70 28 22 6d 64 64 22 2c 22 22 29 3b 0a 70 28 22 68 61 73 22 2c 70 61 29 3b 70 28 22 74 72 68 22 2c 76 61 29 3b 70 28 22 74 65 76 22 2c 72 61 29 3b 69 66 28 68 2e 61 28 22 6d 3b 2f 5f 2f 73 63 73 2f 61 62 63 2d 73 74 61 74 69 63 2f 5f 2f 6a 73 2f 6b 3d 67 61 70 69 2e 67 61 70 69 2e 65 6e 2e 49 4b 35 4f 6d 55 55 52 64 32 45 2e 4f 2f 64 3d 31 2f 72 73 3d 41 48 70 4f 6f 6f 39 33 32 4a 69 6e 6b 53 4a 48 4b 39 32 57 67 56 6a 49 56 2d 4a 77 77 79 75 33 52 77 2f 6d
                                          Data Ascii: 65f8i",ka);p("bnc",x);p("qGC",ta);p("qm",C);p("qd",A);p("lb",sa);p("mcf",oa);p("bcf",na);p("aq",B);p("mdd","");p("has",pa);p("trh",va);p("tev",ra);if(h.a("m;/_/scs/abc-static/_/js/k=gapi.gapi.en.IK5OmUURd2E.O/d=1/rs=AHpOoo932JinkSJHK92WgVjIV-Jwwyu3Rw/m
                                          2022-09-26 05:58:58 UTC24INData Raw: 65 77 20 44 61 74 65 29 2e 67 65 74 54 69 6d 65 28 29 2c 22 26 6a 65 78 70 69 64 3d 22 2c 64 28 22 32 38 38 33 34 22 29 2c 22 26 73 72 63 70 67 3d 22 2c 64 28 22 70 72 6f 70 3d 31 22 29 2c 22 26 6a 73 72 3d 22 2c 4d 61 74 68 2e 72 6f 75 6e 64 28 31 2f 46 61 29 2c 22 26 6f 67 65 76 3d 22 2c 64 28 22 6f 6a 38 78 59 2d 65 6b 48 65 54 46 37 5f 55 50 68 4f 4f 31 79 41 73 22 29 2c 22 26 6f 67 66 3d 22 2c 67 2e 62 76 2e 66 2c 22 26 6f 67 72 70 3d 22 2c 64 28 22 22 29 2c 22 26 6f 67 76 3d 22 2c 64 28 22 34 37 33 36 33 35 31 38 32 2e 30 22 29 2c 22 26 6f 67 67 76 3d 22 2b 64 28 22 65 73 5f 70 6c 75 73 6f 6e 65 5f 67 63 5f 32 30 32 32 30 38 30 31 2e 30 5f 70 30 22 29 2c 22 26 6f 67 64 3d 22 2c 64 28 22 63 6f 6d 22 29 2c 22 26 6f 67 63 3d 22 2c 64 28 22 47 42 52 22
                                          Data Ascii: ew Date).getTime(),"&jexpid=",d("28834"),"&srcpg=",d("prop=1"),"&jsr=",Math.round(1/Fa),"&ogev=",d("oj8xY-ekHeTF7_UPhOO1yAs"),"&ogf=",g.bv.f,"&ogrp=",d(""),"&ogv=",d("473635182.0"),"&oggv="+d("es_plusone_gc_20220801.0_p0"),"&ogd=",d("com"),"&ogc=",d("GBR"
                                          2022-09-26 05:58:58 UTC25INData Raw: 4e 48 55 51 6b 6e 72 76 78 51 57 6c 62 4a 67 65 79 54 6d 71 49 75 77 51 22 5d 3b 4b 61 26 26 61 2e 70 75 73 68 28 22 3f 68 6f 73 74 3d 77 77 77 2e 67 73 74 61 74 69 63 2e 63 6f 6d 26 62 75 73 74 3d 6f 67 2e 6f 67 32 2e 65 6e 5f 55 53 2e 67 33 65 72 6a 35 31 55 38 45 59 2e 44 55 22 29 3b 61 3d 61 2e 6a 6f 69 6e 28 22 22 29 3b 71 61 28 61 29 7d 3b 70 28 22 63 61 22 2c 49 29 3b 70 28 22 63 72 22 2c 4a 29 3b 70 28 22 63 63 22 2c 48 29 3b 68 2e 6b 3d 49 3b 68 2e 6c 3d 4a 3b 68 2e 6d 3d 48 3b 68 2e 6e 3d 4d 61 3b 68 2e 70 3d 4f 61 3b 68 2e 71 3d 4e 61 3b 76 61 72 20 50 61 3d 5b 22 67 62 5f 37 31 22 2c 22 67 62 5f 31 35 35 22 5d 2c 51 61 3b 66 75 6e 63 74 69 6f 6e 20 52 61 28 61 29 7b 51 61 3d 61 7d 66 75 6e 63 74 69 6f 6e 20 53 61 28 61 29 7b 76 61 72 20 62 3d
                                          Data Ascii: NHUQknrvxQWlbJgeyTmqIuwQ"];Ka&&a.push("?host=www.gstatic.com&bust=og.og2.en_US.g3erj51U8EY.DU");a=a.join("");qa(a)};p("ca",I);p("cr",J);p("cc",H);h.k=I;h.l=J;h.m=H;h.n=Ma;h.p=Oa;h.q=Na;var Pa=["gb_71","gb_155"],Qa;function Ra(a){Qa=a}function Sa(a){var b=
                                          2022-09-26 05:58:58 UTC26INData Raw: 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 6e 29 3b 6d 26 26 6d 2e 70 61 72 65 6e 74 4e 6f 64 65 26 26 4a 28 6d 2e 70 61 72 65 6e 74 4e 6f 64 65 2c 22 67 62 74 6f 22 29 7d 7d 7d 24 61 28 66 29 26 26 61 62 28 66 29 3b 4e 3d 64 3b 49 28 6b 2c 22 67 62 74 6f 22 29 7d 7d 7d 7d 43 28 66 75 6e 63 74 69 6f 6e 28 29 7b 67 2e 74 67 28 61 2c 62 2c 21 30 29 7d 29 3b 62 62 28 61 29 7d 63 61 74 63 68 28 71 29 7b 72 28 71 2c 22 73 62 22 2c 22 74 67 22 29 7d 7d 2c 64 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 43 28 66 75 6e 63 74 69 6f 6e 28 29 7b 67 2e 63 6c 6f 73 65 28 61 29 7d 29 7d 2c 65 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 43 28 66 75 6e 63 74 69 6f 6e 28 29 7b 67 2e 72 64 64 28 61 29 7d 29 7d 2c 5a 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 2c
                                          Data Ascii: getElementById(n);m&&m.parentNode&&J(m.parentNode,"gbto")}}}$a(f)&&ab(f);N=d;I(k,"gbto")}}}}C(function(){g.tg(a,b,!0)});bb(a)}catch(q){r(q,"sb","tg")}},db=function(a){C(function(){g.close(a)})},eb=function(a){C(function(){g.rdd(a)})},Za=function(a){var b,
                                          2022-09-26 05:58:58 UTC28INData Raw: 6e 64 43 68 69 6c 64 28 6c 29 7d 7d 63 61 74 63 68 28 42 62 29 7b 72 28 42 62 2c 22 73 62 22 2c 22 61 6c 22 29 7d 7d 2c 66 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 66 6f 72 28 76 61 72 20 63 3d 62 2e 6c 65 6e 67 74 68 2c 0a 64 3d 30 3b 64 3c 63 3b 64 2b 2b 29 69 66 28 48 28 61 2c 62 5b 64 5d 29 29 72 65 74 75 72 6e 21 30 3b 72 65 74 75 72 6e 21 31 7d 2c 68 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 67 62 28 61 2c 62 2c 63 29 7d 2c 69 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 67 62 28 61 2c 22 67 62 65 22 2c 62 29 7d 2c 6a 62 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 43 28 66 75 6e 63 74 69 6f 6e 28 29 7b 67 2e 70 63 6d 26 26 67 2e 70 63 6d 28 29 7d 29 7d 2c 6b 62 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 43 28 66 75 6e 63 74 69 6f 6e 28 29 7b
                                          Data Ascii: ndChild(l)}}catch(Bb){r(Bb,"sb","al")}},fb=function(a,b){for(var c=b.length,d=0;d<c;d++)if(H(a,b[d]))return!0;return!1},hb=function(a,b,c){gb(a,b,c)},ib=function(a,b){gb(a,"gbe",b)},jb=function(){C(function(){g.pcm&&g.pcm()})},kb=function(){C(function(){
                                          2022-09-26 05:58:58 UTC29INData Raw: 29 69 66 28 48 28 62 2c 22 67 62 6d 73 67 22 29 29 72 65 74 75 72 6e 20 62 7d 2c 4f 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 71 62 26 26 77 69 6e 64 6f 77 2e 63 6c 65 61 72 54 69 6d 65 6f 75 74 28 71 62 29 7d 2c 75 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3d 22 69 6e 6e 65 72 22 2b 61 3b 61 3d 22 6f 66 66 73 65 74 22 2b 61 3b 72 65 74 75 72 6e 20 77 69 6e 64 6f 77 5b 62 5d 3f 77 69 6e 64 6f 77 5b 62 5d 3a 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 26 26 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 5b 61 5d 3f 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 5b 61 5d 3a 30 7d 2c 76 62 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 21 31 7d 2c 77 62 3d 66 75 6e
                                          Data Ascii: )if(H(b,"gbmsg"))return b},O=function(){qb&&window.clearTimeout(qb)},ub=function(a){var b="inner"+a;a="offset"+a;return window[b]?window[b]:document.documentElement&&document.documentElement[a]?document.documentElement[a]:0},vb=function(){return!1},wb=fun
                                          2022-09-26 05:58:58 UTC30INData Raw: 29 7d 3b 77 69 6e 64 6f 77 2e 5f 5f 50 56 54 3d 22 22 3b 76 61 72 20 45 62 3d 5b 31 2c 32 2c 33 2c 34 2c 35 2c 36 2c 39 2c 31 30 2c 31 31 2c 31 33 2c 31 34 2c 32 38 2c 32 39 2c 33 30 2c 33 34 2c 33 35 2c 33 37 2c 33 38 2c 33 39 2c 34 30 2c 34 31 2c 34 32 2c 34 33 2c 34 38 2c 34 39 2c 35 30 30 5d 3b 76 61 72 20 46 62 3d 68 2e 62 28 22 30 2e 30 30 31 22 2c 31 45 2d 34 29 2c 47 62 3d 68 2e 62 28 22 31 22 2c 31 29 2c 48 62 3d 21 31 2c 49 62 3d 21 31 3b 69 66 28 68 2e 61 28 22 31 22 29 29 7b 76 61 72 20 4a 62 3d 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 3b 4a 62 3c 46 62 26 26 28 48 62 3d 21 30 29 3b 4a 62 3c 47 62 26 26 28 49 62 3d 21 30 29 7d 76 61 72 20 51 3d 6e 75 6c 6c 3b 0a 66 75 6e 63 74 69 6f 6e 20 4b 62 28 61 2c 62 29 7b 76 61 72 20 63 3d 46 62 2c 64 3d
                                          Data Ascii: )};window.__PVT="";var Eb=[1,2,3,4,5,6,9,10,11,13,14,28,29,30,34,35,37,38,39,40,41,42,43,48,49,500];var Fb=h.b("0.001",1E-4),Gb=h.b("1",1),Hb=!1,Ib=!1;if(h.a("1")){var Jb=Math.random();Jb<Fb&&(Hb=!0);Jb<Gb&&(Ib=!0)}var Q=null;function Kb(a,b){var c=Fb,d=
                                          2022-09-26 05:58:58 UTC31INData Raw: 66 75 6e 63 74 69 6f 6e 28 29 7b 43 28 66 75 6e 63 74 69 6f 6e 28 29 7b 67 2e 70 72 6d 28 29 7d 29 7d 2c 50 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 43 28 66 75 6e 63 74 69 6f 6e 28 29 7b 67 2e 73 70 6e 28 61 29 7d 29 7d 2c 51 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 43 28 66 75 6e 63 74 69 6f 6e 28 29 7b 67 2e 73 70 73 28 61 29 7d 29 7d 2c 52 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 43 28 66 75 6e 63 74 69 6f 6e 28 29 7b 67 2e 73 70 70 28 61 29 7d 29 7d 2c 53 62 3d 7b 22 32 37 22 3a 22 68 74 74 70 73 3a 2f 2f 6c 68 33 2e 67 6f 6f 67 6c 65 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 6f 67 77 2f 64 65 66 61 75 6c 74 2d 75 73 65 72 3d 73 32 34 22 2c 22 32 37 22 3a 22 68 74 74 70 73 3a 2f 2f 6c 68 33 2e 67 6f 6f 67 6c 65 75 73 65 72 63 6f 6e 74 65 6e
                                          Data Ascii: function(){C(function(){g.prm()})},Pb=function(a){C(function(){g.spn(a)})},Qb=function(a){C(function(){g.sps(a)})},Rb=function(a){C(function(){g.spp(a)})},Sb={"27":"https://lh3.googleusercontent.com/ogw/default-user=s24","27":"https://lh3.googleuserconten
                                          2022-09-26 05:58:58 UTC33INData Raw: 2c 62 63 3d 0a 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 69 66 28 59 28 5b 31 5d 2c 22 61 6f 70 22 29 26 26 63 29 7b 69 66 28 57 29 66 6f 72 28 76 61 72 20 64 20 69 6e 20 57 29 57 5b 64 5d 3d 57 5b 64 5d 26 26 2d 31 21 3d 59 62 28 63 2c 64 29 3b 65 6c 73 65 20 66 6f 72 28 57 3d 7b 7d 2c 64 3d 30 3b 64 3c 63 2e 6c 65 6e 67 74 68 3b 64 2b 2b 29 57 5b 63 5b 64 5d 5d 3d 21 30 3b 67 2e 75 70 2e 73 70 6c 28 61 2c 62 2c 22 61 6f 70 22 2c 63 29 7d 7d 2c 63 63 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 69 66 28 58 3d 32 2c 21 58 62 29 7b 58 62 3d 21 30 3b 66 6f 72 28 76 61 72 20 61 20 69 6e 20 52 29 66 6f 72 28 76 61 72 20 62 3d 52 5b 61 5d 2c 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 74 72 79 7b 62 5b 63 5d 28 5a 62 28 61 29 29 7d 63 61
                                          Data Ascii: ,bc=function(a,b,c){if(Y([1],"aop")&&c){if(W)for(var d in W)W[d]=W[d]&&-1!=Yb(c,d);else for(W={},d=0;d<c.length;d++)W[c[d]]=!0;g.up.spl(a,b,"aop",c)}},cc=function(){try{if(X=2,!Xb){Xb=!0;for(var a in R)for(var b=R[a],c=0;c<b.length;c++)try{b[c](Zb(a))}ca
                                          2022-09-26 05:58:58 UTC34INData Raw: 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 74 72 79 7b 69 66 28 64 63 28 61 29 29 72 65 74 75 72 6e 2d 31 3b 76 61 72 20 63 3d 61 2e 63 6f 6f 6b 69 65 2e 6d 61 74 63 68 28 2f 4f 47 50 43 3d 28 5b 5e 3b 5d 2a 29 2f 29 3b 69 66 28 63 26 26 63 5b 31 5d 29 7b 76 61 72 20 64 3d 63 5b 31 5d 2e 6d 61 74 63 68 28 6e 65 77 20 52 65 67 45 78 70 28 22 5c 5c 62 22 2b 0a 62 2b 22 2d 28 5b 30 2d 39 5d 2b 29 3a 22 29 29 3b 69 66 28 64 26 26 64 5b 31 5d 29 72 65 74 75 72 6e 20 70 61 72 73 65 49 6e 74 28 64 5b 31 5d 2c 31 30 29 7d 7d 63 61 74 63 68 28 66 29 7b 66 2e 63 6f 64 65 21 3d 44 4f 4d 45 78 63 65 70 74 69 6f 6e 2e 51 55 4f 54 41 5f 45 58 43 45 45 44 45 44 5f 45 52 52 26 26 72 28 66 2c 22 75 70 22 2c 22 67 63 63 22 29 7d 72 65 74 75 72 6e 2d 31 7d 3b 70 28 22 75 70 22 2c
                                          Data Ascii: nction(a,b){try{if(dc(a))return-1;var c=a.cookie.match(/OGPC=([^;]*)/);if(c&&c[1]){var d=c[1].match(new RegExp("\\b"+b+"-([0-9]+):"));if(d&&d[1])return parseInt(d[1],10)}}catch(f){f.code!=DOMException.QUOTA_EXCEEDED_ERR&&r(f,"up","gcc")}return-1};p("up",
                                          2022-09-26 05:58:58 UTC35INData Raw: 6e 22 3a 22 63 66 67 2e 69 6e 69 74 22 7d 29 3b 7d 7d 29 28 29 3b 0a 28 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 2f 2a 0a 0a 20 43 6f 70 79 72 69 67 68 74 20 54 68 65 20 43 6c 6f 73 75 72 65 20 4c 69 62 72 61 72 79 20 41 75 74 68 6f 72 73 2e 0a 20 53 50 44 58 2d 4c 69 63 65 6e 73 65 2d 49 64 65 6e 74 69 66 69 65 72 3a 20 41 70 61 63 68 65 2d 32 2e 30 0a 2a 2f 0a 76 61 72 20 61 3d 77 69 6e 64 6f 77 2e 67 62 61 72 3b 61 2e 6d 63 66 28 22 70 6d 22 2c 7b 70 3a 22 22 7d 29 3b 7d 63 61 74 63 68 28 65 29 7b 77 69 6e 64 6f 77 2e 67 62 61 72 26 26 67 62 61 72 2e 6c 6f 67 67 65 72 26 26 67 62 61 72 2e 6c 6f 67 67 65 72 2e 6d 6c 28 65 2c 7b 22 5f 73 6e 22 3a 22 63 66 67 2e 69 6e 69 74 22 7d 29 3b 7d 7d 29 28 29 3b 0a 28 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79
                                          Data Ascii: n":"cfg.init"});}})();(function(){try{/* Copyright The Closure Library Authors. SPDX-License-Identifier: Apache-2.0*/var a=window.gbar;a.mcf("pm",{p:""});}catch(e){window.gbar&&gbar.logger&&gbar.logger.ml(e,{"_sn":"cfg.init"});}})();(function(){try
                                          2022-09-26 05:58:58 UTC37INData Raw: 2e 69 6e 69 74 22 7d 29 3b 7d 7d 29 28 29 3b 0a 28 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 2f 2a 0a 0a 20 43 6f 70 79 72 69 67 68 74 20 54 68 65 20 43 6c 6f 73 75 72 65 20 4c 69 62 72 61 72 79 20 41 75 74 68 6f 72 73 2e 0a 20 53 50 44 58 2d 4c 69 63 65 6e 73 65 2d 49 64 65 6e 74 69 66 69 65 72 3a 20 41 70 61 63 68 65 2d 32 2e 30 0a 2a 2f 0a 76 61 72 20 61 3d 74 68 69 73 7c 7c 73 65 6c 66 3b 76 61 72 20 62 3d 77 69 6e 64 6f 77 2e 67 62 61 72 3b 76 61 72 20 63 3d 62 2e 69 3b 76 61 72 20 64 3d 63 2e 61 2c 65 3d 63 2e 63 2c 66 3d 7b 63 74 79 3a 22 47 42 52 22 2c 63 76 3a 22 34 37 33 36 33 35 31 38 32 22 2c 64 62 67 3a 64 28 22 22 29 2c 65 63 76 3a 22 30 22 2c 65 69 3a 65 28 22 6f 6a 38 78 59 2d 65 6b 48 65 54 46 37 5f 55 50 68 4f 4f 31 79 41 73 22 29 2c
                                          Data Ascii: .init"});}})();(function(){try{/* Copyright The Closure Library Authors. SPDX-License-Identifier: Apache-2.0*/var a=this||self;var b=window.gbar;var c=b.i;var d=c.a,e=c.c,f={cty:"GBR",cv:"473635182",dbg:d(""),ecv:"0",ei:e("oj8xY-ekHeTF7_UPhOO1yAs"),
                                          2022-09-26 05:58:58 UTC38INData Raw: 3d 67 62 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 27 62 67 39 79 35 4f 76 57 64 43 63 4b 48 5a 70 76 59 59 72 34 37 51 27 3e 77 69 6e 64 6f 77 2e 67 62 61 72 26 26 67 62 61 72 2e 65 6c 69 26 26 67 62 61 72 2e 65 6c 69 28 29 3c 2f 73 63 72 69 70 74 3e 3c 64 69 76 20 69 64 3d 67 62 77 3e 3c 64 69 76 20 69 64 3d 67 62 7a 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 63 62 3e 3c 2f 73 70 61 6e 3e 3c 6f 6c 20 69 64 3d 67 62 7a 63 20 63 6c 61 73 73 3d 67 62 74 63 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 74 3e 3c 61 20 63 6c 61 73 73 3d 22 67 62 7a 74 20 67 62 7a 30 6c 20 67 62 70 31 22 20 69 64 3d 67 62 5f 31 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 2e 75 6b 2f 77 65 62 68 70 3f 74 61 62 3d 77 77 22 3e 3c 73 70 61
                                          Data Ascii: =gb><script nonce='bg9y5OvWdCcKHZpvYYr47Q'>window.gbar&&gbar.eli&&gbar.eli()</script><div id=gbw><div id=gbz><span class=gbtcb></span><ol id=gbzc class=gbtc><li class=gbt><a class="gbzt gbz0l gbp1" id=gb_1 href="https://www.google.co.uk/webhp?tab=ww"><spa
                                          2022-09-26 05:58:58 UTC39INData Raw: 69 76 65 3c 2f 73 70 61 6e 3e 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 74 3e 3c 61 20 63 6c 61 73 73 3d 67 62 67 74 20 69 64 3d 67 62 7a 74 6d 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 2e 75 6b 2f 69 6e 74 6c 2f 65 6e 2f 61 62 6f 75 74 2f 70 72 6f 64 75 63 74 73 3f 74 61 62 3d 77 68 22 20 20 61 72 69 61 2d 68 61 73 70 6f 70 75 70 3d 74 72 75 65 20 61 72 69 61 2d 6f 77 6e 73 3d 67 62 64 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 62 32 3e 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 69 64 3d 67 62 7a 74 6d 73 20 63 6c 61 73 73 3d 22 67 62 74 73 20 67 62 74 73 61 22 3e 3c 73 70 61 6e 20 69 64 3d 67 62 7a 74 6d 73 31 3e 4d 6f 72 65 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 6d
                                          Data Ascii: ive</span></a></li><li class=gbt><a class=gbgt id=gbztm href="https://www.google.co.uk/intl/en/about/products?tab=wh" aria-haspopup=true aria-owns=gbd><span class=gbtb2></span><span id=gbztms class="gbts gbtsa"><span id=gbztms1>More</span><span class=gbm
                                          2022-09-26 05:58:58 UTC40INData Raw: 3d 67 62 6d 74 20 69 64 3d 67 62 5f 31 32 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 76 69 64 65 6f 2e 67 6f 6f 67 6c 65 2e 63 6f 2e 75 6b 2f 3f 68 6c 3d 65 6e 26 74 61 62 3d 77 76 22 3e 56 69 64 65 6f 73 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 6d 74 63 3e 3c 61 20 63 6c 61 73 73 3d 67 62 6d 74 20 69 64 3d 67 62 5f 32 35 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 64 6f 63 73 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 64 6f 63 75 6d 65 6e 74 2f 3f 75 73 70 3d 64 6f 63 73 5f 61 6c 63 22 3e 44 6f 63 73 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 6d 74 63 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 67 62 6d 74 20 67 62 6d 68 22 3e 3c 2f 64 69 76 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 6d 74 63 3e 3c 61 20 20 68 72
                                          Data Ascii: =gbmt id=gb_12 href="http://video.google.co.uk/?hl=en&tab=wv">Videos</a></li><li class=gbmtc><a class=gbmt id=gb_25 href="https://docs.google.com/document/?usp=docs_alc">Docs</a></li><li class=gbmtc><div class="gbmt gbmh"></div></li><li class=gbmtc><a hr
                                          2022-09-26 05:58:58 UTC42INData Raw: 42 79 49 64 28 27 67 62 67 35 27 29 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 63 6c 69 63 6b 27 2c 20 66 75 6e 63 74 69 6f 6e 20 63 6c 69 63 6b 48 61 6e 64 6c 65 72 28 29 20 7b 20 67 62 61 72 2e 74 67 28 65 76 65 6e 74 2c 74 68 69 73 29 3b 20 7d 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 64 69 76 20 63 6c 61 73 73 3d 67 62 6d 20 69 64 3d 67 62 64 35 20 61 72 69 61 2d 6f 77 6e 65 72 3d 67 62 67 35 3e 3c 64 69 76 20 63 6c 61 73 73 3d 67 62 6d 63 3e 3c 6f 6c 20 69 64 3d 67 62 6f 6d 20 63 6c 61 73 73 3d 67 62 6d 63 63 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 67 62 6b 63 20 67 62 6d 74 63 22 3e 3c 61 20 20 63 6c 61 73 73 3d 67 62 6d 74 20 68 72 65 66 3d 22 2f 70 72 65 66 65 72 65 6e 63 65 73 3f 68 6c 3d 65 6e 22 3e 53 65 61 72 63 68 20 73 65 74 74 69 6e 67
                                          Data Ascii: ById('gbg5').addEventListener('click', function clickHandler() { gbar.tg(event,this); });</script><div class=gbm id=gbd5 aria-owner=gbg5><div class=gbmc><ol id=gbom class=gbmcc><li class="gbkc gbmtc"><a class=gbmt href="/preferences?hl=en">Search setting
                                          2022-09-26 05:58:58 UTC43INData Raw: 30 30 22 20 61 75 74 6f 63 6f 6d 70 6c 65 74 65 3d 22 6f 66 66 22 20 76 61 6c 75 65 3d 22 22 20 74 69 74 6c 65 3d 22 47 6f 6f 67 6c 65 20 53 65 61 72 63 68 22 20 6d 61 78 6c 65 6e 67 74 68 3d 22 32 30 34 38 22 20 6e 61 6d 65 3d 22 71 22 20 73 69 7a 65 3d 22 35 37 22 3e 3c 2f 64 69 76 3e 3c 62 72 20 73 74 79 6c 65 3d 22 6c 69 6e 65 2d 68 65 69 67 68 74 3a 30 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 64 73 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 6c 73 62 62 22 3e 3c 69 6e 70 75 74 20 63 6c 61 73 73 3d 22 6c 73 62 22 20 76 61 6c 75 65 3d 22 47 6f 6f 67 6c 65 20 53 65 61 72 63 68 22 20 6e 61 6d 65 3d 22 62 74 6e 47 22 20 74 79 70 65 3d 22 73 75 62 6d 69 74 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 64 73 22
                                          Data Ascii: 00" autocomplete="off" value="" title="Google Search" maxlength="2048" name="q" size="57"></div><br style="line-height:0"><span class="ds"><span class="lsbb"><input class="lsb" value="Google Search" name="btnG" type="submit"></span></span><span class="ds"
                                          2022-09-26 05:58:58 UTC44INData Raw: 67 62 76 3d 32 22 29 29 7b 76 61 72 20 66 3d 67 6f 6f 67 6c 65 2e 67 62 76 75 2c 67 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 67 62 76 22 29 3b 67 26 26 28 67 2e 76 61 6c 75 65 3d 61 29 3b 66 26 26 77 69 6e 64 6f 77 2e 73 65 74 54 69 6d 65 6f 75 74 28 66 75 6e 63 74 69 6f 6e 28 29 7b 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 66 7d 2c 30 29 7d 3b 7d 29 2e 63 61 6c 6c 28 74 68 69 73 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 66 6f 72 6d 3e 3c 64 69 76 20 69 64 3d 22 67 61 63 5f 73 63 6f 6e 74 22 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 38 33 25 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 33 2e 35 65 6d 22 3e 3c 62 72 3e 3c 2f 64 69 76 3e 3c 73 70 61 6e 20 69 64 3d 22 66 6f 6f 74 65 72 22
                                          Data Ascii: gbv=2")){var f=google.gbvu,g=document.getElementById("gbv");g&&(g.value=a);f&&window.setTimeout(function(){location.href=f},0)};}).call(this);</script></form><div id="gac_scont"></div><div style="font-size:83%;min-height:3.5em"><br></div><span id="footer"
                                          2022-09-26 05:58:58 UTC45INData Raw: 3a 27 78 6a 73 2e 68 70 2e 6e 41 74 38 6d 6b 48 6c 76 56 77 2e 4c 2e 58 2e 4f 27 2c 63 73 3a 27 41 43 54 39 30 6f 46 62 53 6e 69 32 64 69 79 71 57 48 6b 5a 45 30 4e 42 50 77 76 77 4d 39 43 55 56 77 27 2c 65 78 63 6d 3a 5b 5d 7d 3b 7d 29 28 29 3b 3c 2f 73 63 72 69 70 74 3e 20 20 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 62 67 39 79 35 4f 76 57 64 43 63 4b 48 5a 70 76 59 59 72 34 37 51 22 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 75 3d 27 2f 78 6a 73 2f 5f 2f 6a 73 2f 6b 5c 78 33 64 78 6a 73 2e 68 70 2e 65 6e 2e 50 61 32 46 7a 52 51 66 79 57 55 2e 4f 2f 61 6d 5c 78 33 64 41 41 43 65 41 41 41 6b 41 45 41 42 2f 64 5c 78 33 64 31 2f 65 64 5c 78 33 64 31 2f 72 73 5c 78 33 64 41 43 54 39 30 6f 47 47 4f 48 41 47 39 39 71 72 61 41 39 68 59 4d 73 78 64
                                          Data Ascii: :'xjs.hp.nAt8mkHlvVw.L.X.O',cs:'ACT90oFbSni2diyqWHkZE0NBPwvwM9CUVw',excm:[]};})();</script> <script nonce="bg9y5OvWdCcKHZpvYYr47Q">(function(){var u='/xjs/_/js/k\x3dxjs.hp.en.Pa2FzRQfyWU.O/am\x3dAACeAAAkAEAB/d\x3d1/ed\x3d1/rs\x3dACT90oGGOHAG99qraA9hYMsxd
                                          2022-09-26 05:58:58 UTC47INData Raw: 6f 67 6c 65 2e 78 6a 73 75 3d 75 3b 73 65 74 54 69 6d 65 6f 75 74 28 66 75 6e 63 74 69 6f 6e 28 29 7b 6e 28 29 7d 2c 30 29 3b 7d 29 28 29 3b 66 75 6e 63 74 69 6f 6e 20 5f 44 75 6d 70 45 78 63 65 70 74 69 6f 6e 28 65 29 7b 74 68 72 6f 77 20 65 3b 7d 0a 66 75 6e 63 74 69 6f 6e 20 5f 46 5f 69 6e 73 74 61 6c 6c 43 73 73 28 63 29 7b 7d 0a 28 66 75 6e 63 74 69 6f 6e 28 29 7b 67 6f 6f 67 6c 65 2e 6a 6c 3d 7b 62 6c 74 3a 27 6e 6f 6e 65 27 2c 63 68 6e 6b 3a 30 2c 64 77 3a 66 61 6c 73 65 2c 64 77 75 3a 74 72 75 65 2c 65 6d 74 6e 3a 30 2c 65 6e 64 3a 30 2c 69 6e 65 3a 66 61 6c 73 65 2c 69 6e 6a 73 3a 27 6e 6f 6e 65 27 2c 69 6e 6a 74 3a 30 2c 69 6e 6a 74 68 3a 30 2c 69 6e 6a 76 32 3a 66 61 6c 73 65 2c 6c 6c 73 3a 27 64 65 66 61 75 6c 74 27 2c 70 64 74 3a 30 2c 72 65
                                          Data Ascii: ogle.xjsu=u;setTimeout(function(){n()},0);})();function _DumpException(e){throw e;}function _F_installCss(c){}(function(){google.jl={blt:'none',chnk:0,dw:false,dwu:true,emtn:0,end:0,ine:false,injs:'none',injt:0,injth:0,injv2:false,lls:'default',pdt:0,re
                                          2022-09-26 05:58:58 UTC48INData Raw: 2f 73 63 72 69 70 74 3e 20 20 20 20 20 20 20 20 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: /script> </body></html>
                                          2022-09-26 05:58:58 UTC48INData Raw: 30 0d 0a 0d 0a
                                          Data Ascii: 0


                                          Statistics

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:07:58:54
                                          Start date:26/09/2022
                                          Path:C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exe"
                                          Imagebase:0xe10000
                                          File size:769536 bytes
                                          MD5 hash:54E31B7E289BEA078ED769A046C3842E
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.420676515.0000000002643000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.425643462.00000000036FB000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.425643462.00000000036FB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.425643462.00000000036FB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.425643462.00000000036FB000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.425643462.00000000036FB000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.422453842.000000000293F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.426014225.00000000037FA000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.426014225.00000000037FA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.426014225.00000000037FA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.426014225.00000000037FA000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.426014225.00000000037FA000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          Reputation:low

                                          General

                                          Target ID:1
                                          Start time:07:59:07
                                          Start date:26/09/2022
                                          Path:C:\Windows\SysWOW64\cmd.exe
                                          Wow64 process (32bit):true
                                          Commandline:cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "CHRIST,MARICERTYK" /t REG_SZ /d "C:\Users\user\Favorites\SFNM~12345HBV-09876567.exe
                                          Imagebase:0xd90000
                                          File size:232960 bytes
                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Target ID:2
                                          Start time:07:59:08
                                          Start date:26/09/2022
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7c72c0000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Target ID:3
                                          Start time:07:59:09
                                          Start date:26/09/2022
                                          Path:C:\Windows\SysWOW64\PING.EXE
                                          Wow64 process (32bit):true
                                          Commandline:ping 127.0.0.1 -n 38
                                          Imagebase:0xde0000
                                          File size:18944 bytes
                                          MD5 hash:70C24A306F768936563ABDADB9CA9108
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Target ID:4
                                          Start time:07:59:39
                                          Start date:26/09/2022
                                          Path:C:\Windows\SysWOW64\cmd.exe
                                          Wow64 process (32bit):true
                                          Commandline:cmd" /c ping 127.0.0.1 -n 41 > nul && copy "C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exe" "C:\Users\user\Favorites\SFNM~12345HBV-09876567.exe" && ping 127.0.0.1 -n 41 > nul && "C:\Users\user\Favorites\SFNM~12345HBV-09876567.exe
                                          Imagebase:0xd90000
                                          File size:232960 bytes
                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Target ID:7
                                          Start time:07:59:41
                                          Start date:26/09/2022
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7c72c0000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Target ID:9
                                          Start time:07:59:41
                                          Start date:26/09/2022
                                          Path:C:\Windows\SysWOW64\PING.EXE
                                          Wow64 process (32bit):true
                                          Commandline:ping 127.0.0.1 -n 41
                                          Imagebase:0xde0000
                                          File size:18944 bytes
                                          MD5 hash:70C24A306F768936563ABDADB9CA9108
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Target ID:10
                                          Start time:07:59:50
                                          Start date:26/09/2022
                                          Path:C:\Windows\SysWOW64\reg.exe
                                          Wow64 process (32bit):true
                                          Commandline:REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "CHRIST,MARICERTYK" /t REG_SZ /d "C:\Users\user\Favorites\SFNM~12345HBV-09876567.exe"
                                          Imagebase:0xc20000
                                          File size:59392 bytes
                                          MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Target ID:11
                                          Start time:08:00:25
                                          Start date:26/09/2022
                                          Path:C:\Windows\SysWOW64\PING.EXE
                                          Wow64 process (32bit):true
                                          Commandline:ping 127.0.0.1 -n 41
                                          Imagebase:0xde0000
                                          File size:18944 bytes
                                          MD5 hash:70C24A306F768936563ABDADB9CA9108
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Disassembly

                                          No disassembly