Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
o8HZDSERz2.exe

Overview

General Information

Sample name:o8HZDSERz2.exe
renamed because original name is a hash value
Original sample name:DC432166C98009FE4550E69F9B2DD1DA.exe
Analysis ID:1472727
MD5:dc432166c98009fe4550e69f9b2dd1da
SHA1:48eaf82358bfe763d6a7038a82ddcbfac656d079
SHA256:d005d8e4126f9e6a5f14ec3defc0700a2ea4b950249f8eb0ca5644a6f36f68e6
Tags:exeRedLineStealer
Infos:

Detection

RedLine
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
.NET source code contains potential unpacker
AI detected suspicious sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Enables security privileges
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • o8HZDSERz2.exe (PID: 6732 cmdline: "C:\Users\user\Desktop\o8HZDSERz2.exe" MD5: DC432166C98009FE4550E69F9B2DD1DA)
    • conhost.exe (PID: 6760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
No configs have been found
SourceRuleDescriptionAuthorStrings
00000000.00000002.1687011790.0000000003391000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    Process Memory Space: o8HZDSERz2.exe PID: 6732JoeSecurity_RedLineYara detected RedLine StealerJoe Security
      No Sigma rule has matched
      No Snort rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: o8HZDSERz2.exeReversingLabs: Detection: 47%
      Source: o8HZDSERz2.exeVirustotal: Detection: 39%Perma Link
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
      Source: o8HZDSERz2.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: o8HZDSERz2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 4x nop then jmp 03342EF5h0_2_03342E88
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 4x nop then jmp 03346B1Bh0_2_03346AE0
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 4x nop then jmp 03346B1Bh0_2_03346AD2
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 4x nop then jmp 033408AEh0_2_03340878
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 4x nop then jmp 033408AEh0_2_03340868
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 4x nop then jmp 03342EF5h0_2_03342E78
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 4x nop then jmp 057D395Eh0_2_057D3928
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 4x nop then jmp 057D395Eh0_2_057D3919
      Source: o8HZDSERz2.exe, 00000000.00000002.1687011790.00000000036E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $^q3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\^q equals www.youtube.com (Youtube)
      Source: o8HZDSERz2.exe, 00000000.00000002.1687011790.0000000003391000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $^q3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@|- equals www.youtube.com (Youtube)
      Source: o8HZDSERz2.exe, 00000000.00000002.1687011790.00000000036E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
      Source: o8HZDSERz2.exe, 00000000.00000002.1687011790.00000000036E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\^q equals www.youtube.com (Youtube)
      Source: o8HZDSERz2.exe, 00000000.00000002.1687011790.00000000036E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb`,^q equals www.youtube.com (Youtube)
      Source: o8HZDSERz2.exe, 00000000.00000002.1687011790.00000000036E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: `,^q#www.youtube.com_0.indexeddb.le equals www.youtube.com (Youtube)
      Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
      Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
      Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
      Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
      Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
      Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: o8HZDSERz2.exe, 00000000.00000002.1691527282.0000000007602000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: o8HZDSERz2.exe, 00000000.00000002.1687011790.000000000365F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.s
      Source: o8HZDSERz2.exe, 00000000.00000002.1687011790.000000000365F000.00000004.00000800.00020000.00000000.sdmp, o8HZDSERz2.exe, 00000000.00000002.1687011790.0000000003391000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
      Source: o8HZDSERz2.exe, 00000000.00000002.1687011790.0000000003733000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/users/
      Source: o8HZDSERz2.exe, 00000000.00000002.1687011790.000000000340B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_d29cd670-8
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_033413500_2_03341350
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_0334CB980_2_0334CB98
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_0334AA8A0_2_0334AA8A
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_0334E1990_2_0334E199
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_0334102A0_2_0334102A
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_033428580_2_03342858
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_033416800_2_03341680
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_03342E880_2_03342E88
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_033495B00_2_033495B0
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_0334B5800_2_0334B580
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_033474E80_2_033474E8
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_033413400_2_03341340
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_0334CB8A0_2_0334CB8A
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_03344A300_2_03344A30
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_0334EA600_2_0334EA60
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_033442680_2_03344268
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_033442590_2_03344259
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_0334EA4F0_2_0334EA4F
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_033492E00_2_033492E0
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_033492D00_2_033492D0
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_0334D2C80_2_0334D2C8
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_033451DA0_2_033451DA
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_033478800_2_03347880
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_033488D10_2_033488D1
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_03344E110_2_03344E11
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_033416700_2_03341670
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_03342E780_2_03342E78
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_0334BEF00_2_0334BEF0
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_03348ED00_2_03348ED0
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_03343EC90_2_03343EC9
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_033495A00_2_033495A0
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_0334A4200_2_0334A420
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_03343CD90_2_03343CD9
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_033474DA0_2_033474DA
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_056EA5500_2_056EA550
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_056E9DB80_2_056E9DB8
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_056E04480_2_056E0448
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_056E0E900_2_056E0E90
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_057D3BA00_2_057D3BA0
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_057DE60C0_2_057DE60C
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_057D46A00_2_057D46A0
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_057D46900_2_057D4690
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_057D40600_2_057D4060
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_057D43D90_2_057D43D9
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_057D3B900_2_057D3B90
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_058406900_2_05840690
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_05846C900_2_05846C90
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_058474B00_2_058474B0
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_058474C00_2_058474C0
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_058406800_2_05840680
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_05846C810_2_05846C81
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeProcess token adjusted: SecurityJump to behavior
      Source: o8HZDSERz2.exe, 00000000.00000002.1686527714.000000000165E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs o8HZDSERz2.exe
      Source: o8HZDSERz2.exe, 00000000.00000000.1664929107.0000000000F02000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSuffixion.exe" vs o8HZDSERz2.exe
      Source: o8HZDSERz2.exeBinary or memory string: OriginalFilenameSuffixion.exe" vs o8HZDSERz2.exe
      Source: o8HZDSERz2.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: o8HZDSERz2.exe, ---------.csCryptographic APIs: 'CreateDecryptor'
      Source: o8HZDSERz2.exe, ---------.csCryptographic APIs: 'CreateDecryptor'
      Source: o8HZDSERz2.exe, ---------.csBase64 encoded string: 'rkZ/d56y021pZZe6nktlbJXxvEx/Zpa9kUY3RJ6ruFF4cYKejkxpbpmzhARrZo+Au0pgb7W+kFo3bIuAtFFpco6+kVZ4esC4mEtTT56xmktkOLy6iWt1c56Zj1BhS5qxmVNpOJy6iWBCYpa6xnZiZ56nslk3UZ6+mWx4cZKxmgRNZ5/kmlp4XKuwjlZ4apSxxlhpd6SciE1+ZpWruVBhYpKxxmxpd7++iV43MsnpyQY3QoismFJub4KMmE16ZonkrlZhc5e6vEx/Zpa9kUZJe4uzkk1pccC9nF1pb42yxkxhbJC6iVp/dw=='
      Source: classification engineClassification label: mal68.troj.evad.winEXE@2/1@0/0
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\o8HZDSERz2.exe.logJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6760:120:WilError_03
      Source: o8HZDSERz2.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: o8HZDSERz2.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: o8HZDSERz2.exeReversingLabs: Detection: 47%
      Source: o8HZDSERz2.exeVirustotal: Detection: 39%
      Source: unknownProcess created: C:\Users\user\Desktop\o8HZDSERz2.exe "C:\Users\user\Desktop\o8HZDSERz2.exe"
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeSection loaded: dwrite.dllJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: o8HZDSERz2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: o8HZDSERz2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

      Data Obfuscation

      barindex
      Source: o8HZDSERz2.exe, ---------.cs.Net Code: _3020_3020_301E_3025_3007_3026_302B System.Reflection.Assembly.Load(byte[])
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_0334D268 pushfd ; iretd 0_2_0334D285
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeCode function: 0_2_0584D68F push F005858Dh; iretd 0_2_0584D69D
      Source: o8HZDSERz2.exeStatic PE information: section name: .text entropy: 7.186487476215751
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Source: o8HZDSERz2.exe, 00000000.00000002.1687011790.0000000003391000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE@|-
      Source: o8HZDSERz2.exe, 00000000.00000002.1687011790.0000000003733000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE@\^Q
      Source: o8HZDSERz2.exe, 00000000.00000002.1687011790.0000000003733000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE`,^Q
      Source: o8HZDSERz2.exe, 00000000.00000002.1687011790.0000000003733000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeMemory allocated: 3130000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeMemory allocated: 3390000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeMemory allocated: 31A0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exe TID: 6900Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: o8HZDSERz2.exe, 00000000.00000002.1687011790.0000000003733000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe`,^q
      Source: o8HZDSERz2.exe, 00000000.00000002.1687011790.0000000003733000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe
      Source: o8HZDSERz2.exe, 00000000.00000002.1687011790.0000000003733000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe@\^q
      Source: o8HZDSERz2.exe, 00000000.00000002.1687011790.0000000003391000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe@|-
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeMemory allocated: page read and write | page guardJump to behavior
      Source: o8HZDSERz2.exe, 00000000.00000002.1687011790.000000000340B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow
      Source: o8HZDSERz2.exe, 00000000.00000002.1687011790.000000000340B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Users\user\Desktop\o8HZDSERz2.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\o8HZDSERz2.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation