Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
KGdzTBQpgz.exe

Overview

General Information

Sample name:KGdzTBQpgz.exe
renamed because original name is a hash value
Original sample name:dff135bed1773d2314078ee9c461bdf377ee85e67330233a1e8d65d89071eee8.exe
Analysis ID:1634633
MD5:ce7db8bb0bf0e611dd14dd507b88f0bd
SHA1:edea5e5f4d8ca559210e01a9882e9a2dc99b6ffb
SHA256:dff135bed1773d2314078ee9c461bdf377ee85e67330233a1e8d65d89071eee8
Tags:AsyncRATexeuser-adrian__luca
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • KGdzTBQpgz.exe (PID: 7796 cmdline: "C:\Users\user\Desktop\KGdzTBQpgz.exe" MD5: CE7DB8BB0BF0E611DD14DD507B88F0BD)
    • KGdzTBQpgz.exe (PID: 8000 cmdline: "C:\Users\user\Desktop\KGdzTBQpgz.exe" MD5: CE7DB8BB0BF0E611DD14DD507B88F0BD)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["rency.ydns.eu", "wqo9.firewall-gateway.de"], "Port": 59012, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.3621448752.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    00000002.00000002.3621448752.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0xff72:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x1000f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x10124:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0xef06:$cnc4: POST / HTTP/1.1
    00000000.00000002.1220019091.0000000002741000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000000.00000002.1220019091.0000000002741000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x3be8a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x4db6e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x5fe1a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x3bf27:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x4dc0b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x5feb7:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x3c03c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x4dd20:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x5ffcc:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x3ae1e:$cnc4: POST / HTTP/1.1
      • 0x4cb02:$cnc4: POST / HTTP/1.1
      • 0x5edae:$cnc4: POST / HTTP/1.1
      00000002.00000002.3623352155.00000000032D1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        Click to see the 3 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.KGdzTBQpgz.exe.276cd18.1.unpackJoeSecurity_XWormYara detected XWormJoe Security
          0.2.KGdzTBQpgz.exe.276cd18.1.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
          • 0xa761:$str01: $VB$Local_Port
          • 0xa785:$str02: $VB$Local_Host
          • 0x8877:$str03: get_Jpeg
          • 0x900e:$str04: get_ServicePack
          • 0xb9a3:$str05: Select * from AntivirusProduct
          • 0xc605:$str06: PCRestart
          • 0xc619:$str07: shutdown.exe /f /r /t 0
          • 0xc6cb:$str08: StopReport
          • 0xc6a1:$str09: StopDDos
          • 0xc797:$str10: sendPlugin
          • 0xc935:$str12: -ExecutionPolicy Bypass -File "
          • 0xd3eb:$str13: Content-length: 5235
          0.2.KGdzTBQpgz.exe.276cd18.1.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xe372:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0xe40f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0xe524:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0xd306:$cnc4: POST / HTTP/1.1
          0.2.KGdzTBQpgz.exe.277e9fc.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.2.KGdzTBQpgz.exe.277e9fc.0.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
            • 0xa761:$str01: $VB$Local_Port
            • 0xa785:$str02: $VB$Local_Host
            • 0x8877:$str03: get_Jpeg
            • 0x900e:$str04: get_ServicePack
            • 0xb9a3:$str05: Select * from AntivirusProduct
            • 0xc605:$str06: PCRestart
            • 0xc619:$str07: shutdown.exe /f /r /t 0
            • 0xc6cb:$str08: StopReport
            • 0xc6a1:$str09: StopDDos
            • 0xc797:$str10: sendPlugin
            • 0xc935:$str12: -ExecutionPolicy Bypass -File "
            • 0xd3eb:$str13: Content-length: 5235
            Click to see the 10 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Startup Folder File Write
            Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\KGdzTBQpgz.exe, ProcessId: 8000, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicroSoftOutlook.lnk

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-11T02:39:08.170939+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:39:10.509308+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:39:20.981793+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:39:33.794383+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:39:38.904212+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:39:39.047060+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:39:39.190014+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:39:39.529016+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:39:40.520787+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:39:44.810328+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:39:44.953269+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:39:45.097025+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:39:53.977598+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:40:02.372913+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:40:05.403985+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:40:05.637968+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:40:05.781365+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:40:05.923238+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:40:10.138510+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:40:10.531211+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:40:11.623906+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:40:11.766837+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:40:21.899062+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:40:27.013513+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:40:31.641135+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:40:37.325986+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:40:37.559724+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:40:40.387845+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:40:40.583342+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:40:48.030743+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:40:48.173775+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:40:48.315851+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:40:53.249038+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:40:58.939094+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:40:59.081535+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:41:05.014109+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:41:05.157031+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:41:05.301702+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:41:10.551597+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:41:10.934823+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:41:11.077726+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:41:16.310726+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:41:16.738340+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:41:16.927853+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:41:17.069672+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:41:17.211600+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:41:22.307366+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:41:22.463628+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:41:27.451666+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:41:38.688825+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:41:38.919967+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:41:40.541452+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:41:51.732351+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:42:04.544838+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:42:05.794757+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:42:05.951346+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:42:06.095835+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:42:06.379464+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:42:07.921264+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:42:10.540531+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:42:16.388303+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:42:27.153799+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-11T02:39:20.983695+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:39:33.820278+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:39:38.906028+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:39:39.049745+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:39:39.192313+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:39:39.530703+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:39:44.816481+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:39:44.955042+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:39:45.098844+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:39:53.983399+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:40:02.378949+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:40:05.405931+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:40:05.640349+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:40:05.803358+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:40:05.925729+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:40:10.141471+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:40:11.625419+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:40:11.768295+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:40:21.900630+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:40:27.017270+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:40:31.642598+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:40:37.328004+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:40:37.561566+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:40:40.395274+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:40:48.034145+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:40:48.175269+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:40:48.323384+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:40:53.251180+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:40:58.940789+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:40:59.084884+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:41:05.019599+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:41:05.158804+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:41:05.303519+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:41:10.936273+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:41:11.081376+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:41:16.314447+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:41:16.740318+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:41:16.932839+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:41:17.073023+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:41:17.213191+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:41:22.315377+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:41:22.471387+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:41:27.457160+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:41:38.691196+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:41:38.922013+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:41:51.734524+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:42:04.551515+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:42:05.796678+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:42:05.953169+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:42:06.097402+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:42:06.239064+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:42:06.244140+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:42:06.380780+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:42:07.922746+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:42:16.390689+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            2025-03-11T02:42:27.154607+010028529231Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-11T02:39:10.509308+010028528741Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:39:40.520787+010028528741Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:40:10.531211+010028528741Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:40:40.583342+010028528741Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:41:10.551597+010028528741Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:41:40.541452+010028528741Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            2025-03-11T02:42:10.540531+010028528741Malware Command and Control Activity Detected104.245.240.12359012192.168.2.449721TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-11T02:40:05.164649+010028531931Malware Command and Control Activity Detected192.168.2.449721104.245.240.12359012TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: KGdzTBQpgz.exeAvira: detected
            Antivirus detection for URL or domain
            Source: wqo9.firewall-gateway.deAvira URL Cloud: Label: malware
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Roaming\MicroSoftOutlook.exeAvira: detection malicious, Label: HEUR/AGEN.1311112
            Found malware configuration
            Source: 00000002.00000002.3623352155.00000000032D1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["rency.ydns.eu", "wqo9.firewall-gateway.de"], "Port": 59012, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\MicroSoftOutlook.exeReversingLabs: Detection: 65%
            Multi AV Scanner detection for submitted file
            Source: KGdzTBQpgz.exeVirustotal: Detection: 75%Perma Link
            Source: KGdzTBQpgz.exeReversingLabs: Detection: 65%
            Joe Sandbox ML detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Sample uses string decryption to hide its real strings
            Source: 00000002.00000002.3621448752.0000000000402000.00000040.00000400.00020000.00000000.sdmpString decryptor: rency.ydns.eu,wqo9.firewall-gateway.de
            Source: 00000002.00000002.3621448752.0000000000402000.00000040.00000400.00020000.00000000.sdmpString decryptor: 59012
            Source: 00000002.00000002.3621448752.0000000000402000.00000040.00000400.00020000.00000000.sdmpString decryptor: <123456789>
            Source: 00000002.00000002.3621448752.0000000000402000.00000040.00000400.00020000.00000000.sdmpString decryptor: <Xwormmm>
            Source: 00000002.00000002.3621448752.0000000000402000.00000040.00000400.00020000.00000000.sdmpString decryptor: Windows Session Manager
            Source: 00000002.00000002.3621448752.0000000000402000.00000040.00000400.00020000.00000000.sdmpString decryptor: USB.exe
            Source: 00000002.00000002.3621448752.0000000000402000.00000040.00000400.00020000.00000000.sdmpString decryptor: %AppData%
            Source: 00000002.00000002.3621448752.0000000000402000.00000040.00000400.00020000.00000000.sdmpString decryptor: MicroSoftOutlook.exe
            Source: KGdzTBQpgz.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: KGdzTBQpgz.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: vgJr.pdb source: KGdzTBQpgz.exe, MicroSoftOutlook.exe.2.dr
            Source: Binary string: vgJr.pdbSHA2567(co source: KGdzTBQpgz.exe, MicroSoftOutlook.exe.2.dr
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeCode function: 4x nop then jmp 0711D95Ah0_2_0711CF56

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49721 -> 104.245.240.123:59012
            Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 104.245.240.123:59012 -> 192.168.2.4:49721
            Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 104.245.240.123:59012 -> 192.168.2.4:49721
            Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.4:49721 -> 104.245.240.123:59012
            Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49721 -> 104.245.240.123:59012
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: rency.ydns.eu
            Source: Malware configuration extractorURLs: wqo9.firewall-gateway.de
            Connects to many ports of the same IP (likely port scanning)
            Source: global trafficTCP traffic: 104.245.240.158 ports 59012,0,1,2,5,9
            Source: global trafficTCP traffic: 104.245.240.123 ports 59012,0,1,2,5,9
            Source: global trafficTCP traffic: 192.168.2.4:49714 -> 104.245.240.158:59012
            Source: global trafficTCP traffic: 192.168.2.4:49721 -> 104.245.240.123:59012
            Source: Joe Sandbox ViewASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: wqo9.firewall-gateway.de
            Source: global trafficDNS traffic detected: DNS query: rency.ydns.eu
            Source: KGdzTBQpgz.exe, 00000002.00000002.3623352155.00000000032D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: KGdzTBQpgz.exe, MicroSoftOutlook.exe.2.drString found in binary or memory: http://tempuri.org/DataSet1.xsd
            Source: KGdzTBQpgz.exe, 00000000.00000002.1222836264.0000000006972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: KGdzTBQpgz.exe, 00000000.00000002.1222836264.0000000006972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: KGdzTBQpgz.exe, 00000000.00000002.1222836264.0000000006972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: KGdzTBQpgz.exe, 00000000.00000002.1222836264.0000000006972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: KGdzTBQpgz.exe, 00000000.00000002.1222836264.0000000006972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: KGdzTBQpgz.exe, 00000000.00000002.1222836264.0000000006972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: KGdzTBQpgz.exe, 00000000.00000002.1222836264.0000000006972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
            Source: KGdzTBQpgz.exe, 00000000.00000002.1222836264.0000000006972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: KGdzTBQpgz.exe, 00000000.00000002.1222836264.0000000006972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: KGdzTBQpgz.exe, 00000000.00000002.1222836264.0000000006972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: KGdzTBQpgz.exe, 00000000.00000002.1222836264.0000000006972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
            Source: KGdzTBQpgz.exe, 00000000.00000002.1222836264.0000000006972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: KGdzTBQpgz.exe, 00000000.00000002.1222836264.0000000006972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: KGdzTBQpgz.exe, 00000000.00000002.1222836264.0000000006972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: KGdzTBQpgz.exe, 00000000.00000002.1222836264.0000000006972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: KGdzTBQpgz.exe, 00000000.00000002.1222836264.0000000006972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: KGdzTBQpgz.exe, 00000000.00000002.1222836264.0000000006972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: KGdzTBQpgz.exe, 00000000.00000002.1222836264.0000000006972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: KGdzTBQpgz.exe, 00000000.00000002.1222836264.0000000006972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
            Source: KGdzTBQpgz.exe, 00000000.00000002.1222836264.0000000006972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
            Source: KGdzTBQpgz.exe, 00000000.00000002.1222836264.0000000006972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
            Source: KGdzTBQpgz.exe, 00000000.00000002.1222836264.0000000006972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: KGdzTBQpgz.exe, 00000000.00000002.1222836264.0000000006972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

            Operating System Destruction

            barindex
            Protects its processes via BreakOnTermination flag
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: 01 00 00 00 Jump to behavior

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 0.2.KGdzTBQpgz.exe.276cd18.1.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.2.KGdzTBQpgz.exe.276cd18.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.2.KGdzTBQpgz.exe.277e9fc.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.2.KGdzTBQpgz.exe.277e9fc.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 2.2.KGdzTBQpgz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 2.2.KGdzTBQpgz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.2.KGdzTBQpgz.exe.277e9fc.0.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.2.KGdzTBQpgz.exe.277e9fc.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.2.KGdzTBQpgz.exe.276cd18.1.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.2.KGdzTBQpgz.exe.276cd18.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000002.00000002.3621448752.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000002.1220019091.0000000002741000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeCode function: 0_2_00B93E400_2_00B93E40
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeCode function: 0_2_00B96F920_2_00B96F92
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeCode function: 0_2_00B9DE6C0_2_00B9DE6C
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeCode function: 0_2_070DBF2D0_2_070DBF2D
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeCode function: 0_2_071197A30_2_071197A3
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeCode function: 0_2_071197A80_2_071197A8
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeCode function: 0_2_071193900_2_07119390
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeCode function: 0_2_0711B3F80_2_0711B3F8
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeCode function: 0_2_07118F380_2_07118F38
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeCode function: 0_2_0711AA470_2_0711AA47
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeCode function: 0_2_0711AA480_2_0711AA48
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeCode function: 2_2_018D414F2_2_018D414F
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeCode function: 2_2_018D47482_2_018D4748
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeCode function: 2_2_018D14702_2_018D1470
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeCode function: 2_2_018DFC282_2_018DFC28
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeCode function: 2_2_018D1A992_2_018D1A99
            Source: KGdzTBQpgz.exe, 00000000.00000002.1223587629.0000000006FA0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs KGdzTBQpgz.exe
            Source: KGdzTBQpgz.exe, 00000000.00000002.1220019091.00000000027A6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs KGdzTBQpgz.exe
            Source: KGdzTBQpgz.exe, 00000000.00000002.1219388294.000000000096E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs KGdzTBQpgz.exe
            Source: KGdzTBQpgz.exe, 00000000.00000000.1160820559.00000000002C2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamevgJr.exeB vs KGdzTBQpgz.exe
            Source: KGdzTBQpgz.exe, 00000000.00000002.1220019091.0000000002741000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs KGdzTBQpgz.exe
            Source: KGdzTBQpgz.exe, 00000000.00000002.1220019091.0000000002741000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWindows Session Manager.exe4 vs KGdzTBQpgz.exe
            Source: KGdzTBQpgz.exe, 00000000.00000002.1221157553.0000000003781000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs KGdzTBQpgz.exe
            Source: KGdzTBQpgz.exe, 00000000.00000002.1224445648.00000000073F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs KGdzTBQpgz.exe
            Source: KGdzTBQpgz.exe, 00000000.00000002.1221157553.0000000003749000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs KGdzTBQpgz.exe
            Source: KGdzTBQpgz.exe, 00000002.00000002.3627726545.0000000006139000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs KGdzTBQpgz.exe
            Source: KGdzTBQpgz.exe, 00000002.00000002.3626363496.00000000042D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevgJr.exeB vs KGdzTBQpgz.exe
            Source: KGdzTBQpgz.exe, 00000002.00000002.3621448752.0000000000414000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWindows Session Manager.exe4 vs KGdzTBQpgz.exe
            Source: KGdzTBQpgz.exeBinary or memory string: OriginalFilenamevgJr.exeB vs KGdzTBQpgz.exe
            Source: KGdzTBQpgz.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 0.2.KGdzTBQpgz.exe.276cd18.1.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.2.KGdzTBQpgz.exe.276cd18.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.2.KGdzTBQpgz.exe.277e9fc.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.2.KGdzTBQpgz.exe.277e9fc.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 2.2.KGdzTBQpgz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 2.2.KGdzTBQpgz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.2.KGdzTBQpgz.exe.277e9fc.0.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.2.KGdzTBQpgz.exe.277e9fc.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.2.KGdzTBQpgz.exe.276cd18.1.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.2.KGdzTBQpgz.exe.276cd18.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000002.00000002.3621448752.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000002.1220019091.0000000002741000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: KGdzTBQpgz.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 0.2.KGdzTBQpgz.exe.276cd18.1.raw.unpack, 5Qr5V2aNWCcdYn70pbgmQULMpvNQ94nj.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.KGdzTBQpgz.exe.276cd18.1.raw.unpack, FXGyLuigTPD9Vpab9VsegLmV1pqpKqi7.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.KGdzTBQpgz.exe.276cd18.1.raw.unpack, FXGyLuigTPD9Vpab9VsegLmV1pqpKqi7.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.KGdzTBQpgz.exe.277e9fc.0.raw.unpack, 5Qr5V2aNWCcdYn70pbgmQULMpvNQ94nj.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.KGdzTBQpgz.exe.277e9fc.0.raw.unpack, FXGyLuigTPD9Vpab9VsegLmV1pqpKqi7.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.KGdzTBQpgz.exe.277e9fc.0.raw.unpack, FXGyLuigTPD9Vpab9VsegLmV1pqpKqi7.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.KGdzTBQpgz.exe.73f0000.7.raw.unpack, N7154xKbcZRC4LtMTw.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
            Source: 0.2.KGdzTBQpgz.exe.73f0000.7.raw.unpack, N7154xKbcZRC4LtMTw.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.KGdzTBQpgz.exe.73f0000.7.raw.unpack, N7154xKbcZRC4LtMTw.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
            Source: 0.2.KGdzTBQpgz.exe.38e74d8.4.raw.unpack, N7154xKbcZRC4LtMTw.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
            Source: 0.2.KGdzTBQpgz.exe.38e74d8.4.raw.unpack, N7154xKbcZRC4LtMTw.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.KGdzTBQpgz.exe.38e74d8.4.raw.unpack, N7154xKbcZRC4LtMTw.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
            Source: 0.2.KGdzTBQpgz.exe.276cd18.1.raw.unpack, dLiNKQaU0GLrnqDgfn9MKAjxEXAjUsCS5VFq7cg58lAoMo8IL0VaN74ez99xHY9Zksv9JRhkiG8BEwAEmtxuRjh1Yh.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.2.KGdzTBQpgz.exe.276cd18.1.raw.unpack, dLiNKQaU0GLrnqDgfn9MKAjxEXAjUsCS5VFq7cg58lAoMo8IL0VaN74ez99xHY9Zksv9JRhkiG8BEwAEmtxuRjh1Yh.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.KGdzTBQpgz.exe.393d0f8.3.raw.unpack, anc9ha9RL05JI1pDAu.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.2.KGdzTBQpgz.exe.393d0f8.3.raw.unpack, anc9ha9RL05JI1pDAu.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.KGdzTBQpgz.exe.393d0f8.3.raw.unpack, N7154xKbcZRC4LtMTw.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
            Source: 0.2.KGdzTBQpgz.exe.393d0f8.3.raw.unpack, N7154xKbcZRC4LtMTw.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.KGdzTBQpgz.exe.393d0f8.3.raw.unpack, N7154xKbcZRC4LtMTw.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
            Source: 0.2.KGdzTBQpgz.exe.38e74d8.4.raw.unpack, anc9ha9RL05JI1pDAu.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.2.KGdzTBQpgz.exe.38e74d8.4.raw.unpack, anc9ha9RL05JI1pDAu.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.KGdzTBQpgz.exe.73f0000.7.raw.unpack, anc9ha9RL05JI1pDAu.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.2.KGdzTBQpgz.exe.73f0000.7.raw.unpack, anc9ha9RL05JI1pDAu.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.KGdzTBQpgz.exe.277e9fc.0.raw.unpack, dLiNKQaU0GLrnqDgfn9MKAjxEXAjUsCS5VFq7cg58lAoMo8IL0VaN74ez99xHY9Zksv9JRhkiG8BEwAEmtxuRjh1Yh.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.2.KGdzTBQpgz.exe.277e9fc.0.raw.unpack, dLiNKQaU0GLrnqDgfn9MKAjxEXAjUsCS5VFq7cg58lAoMo8IL0VaN74ez99xHY9Zksv9JRhkiG8BEwAEmtxuRjh1Yh.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.evad.winEXE@3/4@2/2
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\KGdzTBQpgz.exe.logJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeMutant created: NULL
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeMutant created: \Sessions\1\BaseNamedObjects\0QDhg9mCIkYog25F
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
            Source: KGdzTBQpgz.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: KGdzTBQpgz.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: KGdzTBQpgz.exeVirustotal: Detection: 75%
            Source: KGdzTBQpgz.exeReversingLabs: Detection: 65%
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeFile read: C:\Users\user\Desktop\KGdzTBQpgz.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\KGdzTBQpgz.exe "C:\Users\user\Desktop\KGdzTBQpgz.exe"
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess created: C:\Users\user\Desktop\KGdzTBQpgz.exe "C:\Users\user\Desktop\KGdzTBQpgz.exe"
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess created: C:\Users\user\Desktop\KGdzTBQpgz.exe "C:\Users\user\Desktop\KGdzTBQpgz.exe"Jump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: linkinfo.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: ntshrui.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: cscapi.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: avicap32.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: KGdzTBQpgz.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: KGdzTBQpgz.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: KGdzTBQpgz.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: vgJr.pdb source: KGdzTBQpgz.exe, MicroSoftOutlook.exe.2.dr
            Source: Binary string: vgJr.pdbSHA2567(co source: KGdzTBQpgz.exe, MicroSoftOutlook.exe.2.dr

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: 0.2.KGdzTBQpgz.exe.276cd18.1.raw.unpack, F4RGvMuj4U5T65cao0T2zsRWeZG2uQx8.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{CHmzyYZA9cgfj3YyRnpXSfYR0bSLRZpZVYv8N6YwZVL0adnscLSd4FBRnCeCtG5BHclVDrGYefh3Kmjs2TERgJrj9B.G0raM1kPDEMMlhPB9yl5P9u5pPZc6lhTHLHIEXqsmIRqdQxroTsfHDdQsQJxCXG73pb03OUmGncvFXYIZZNNoNjgRx,CHmzyYZA9cgfj3YyRnpXSfYR0bSLRZpZVYv8N6YwZVL0adnscLSd4FBRnCeCtG5BHclVDrGYefh3Kmjs2TERgJrj9B.NEK5VDa6oCy9DVn5hoy62UHZ2OmX9CVNL5bYbvH4dnkbpZcIiIZejNw6XeSIj6OMAzDLAJfvTr7vlaFwIDZTf5BL7m,CHmzyYZA9cgfj3YyRnpXSfYR0bSLRZpZVYv8N6YwZVL0adnscLSd4FBRnCeCtG5BHclVDrGYefh3Kmjs2TERgJrj9B._1WhPfMrIKDDl0ZM9S74QT61d9GUu7r472ut0CgDqCmnKNSBeENYKVfdbXPfx55DmlhPDioNwvxv7FJRhhU1gOncOdj,CHmzyYZA9cgfj3YyRnpXSfYR0bSLRZpZVYv8N6YwZVL0adnscLSd4FBRnCeCtG5BHclVDrGYefh3Kmjs2TERgJrj9B.QxoO2KJsgwe9ANp10ZfzVMpjq9ynLi9HhMez24Gf0SJPHJmVskiUHxzFQ5wAazTnh2ffKzUhc17kgo5NjpOinMsgwA,FXGyLuigTPD9Vpab9VsegLmV1pqpKqi7._6LtKvHyoh6zmhMDjIh()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 0.2.KGdzTBQpgz.exe.276cd18.1.raw.unpack, F4RGvMuj4U5T65cao0T2zsRWeZG2uQx8.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_9kO15zmALBVwknd2wiZZDlpysYGL97Aj[2],FXGyLuigTPD9Vpab9VsegLmV1pqpKqi7.IeYFzbdVdcZpqL3jFx(Convert.FromBase64String(_9kO15zmALBVwknd2wiZZDlpysYGL97Aj[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 0.2.KGdzTBQpgz.exe.277e9fc.0.raw.unpack, F4RGvMuj4U5T65cao0T2zsRWeZG2uQx8.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{CHmzyYZA9cgfj3YyRnpXSfYR0bSLRZpZVYv8N6YwZVL0adnscLSd4FBRnCeCtG5BHclVDrGYefh3Kmjs2TERgJrj9B.G0raM1kPDEMMlhPB9yl5P9u5pPZc6lhTHLHIEXqsmIRqdQxroTsfHDdQsQJxCXG73pb03OUmGncvFXYIZZNNoNjgRx,CHmzyYZA9cgfj3YyRnpXSfYR0bSLRZpZVYv8N6YwZVL0adnscLSd4FBRnCeCtG5BHclVDrGYefh3Kmjs2TERgJrj9B.NEK5VDa6oCy9DVn5hoy62UHZ2OmX9CVNL5bYbvH4dnkbpZcIiIZejNw6XeSIj6OMAzDLAJfvTr7vlaFwIDZTf5BL7m,CHmzyYZA9cgfj3YyRnpXSfYR0bSLRZpZVYv8N6YwZVL0adnscLSd4FBRnCeCtG5BHclVDrGYefh3Kmjs2TERgJrj9B._1WhPfMrIKDDl0ZM9S74QT61d9GUu7r472ut0CgDqCmnKNSBeENYKVfdbXPfx55DmlhPDioNwvxv7FJRhhU1gOncOdj,CHmzyYZA9cgfj3YyRnpXSfYR0bSLRZpZVYv8N6YwZVL0adnscLSd4FBRnCeCtG5BHclVDrGYefh3Kmjs2TERgJrj9B.QxoO2KJsgwe9ANp10ZfzVMpjq9ynLi9HhMez24Gf0SJPHJmVskiUHxzFQ5wAazTnh2ffKzUhc17kgo5NjpOinMsgwA,FXGyLuigTPD9Vpab9VsegLmV1pqpKqi7._6LtKvHyoh6zmhMDjIh()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 0.2.KGdzTBQpgz.exe.277e9fc.0.raw.unpack, F4RGvMuj4U5T65cao0T2zsRWeZG2uQx8.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_9kO15zmALBVwknd2wiZZDlpysYGL97Aj[2],FXGyLuigTPD9Vpab9VsegLmV1pqpKqi7.IeYFzbdVdcZpqL3jFx(Convert.FromBase64String(_9kO15zmALBVwknd2wiZZDlpysYGL97Aj[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            .NET source code contains potential unpacker
            Source: KGdzTBQpgz.exe, Form3.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
            Source: 0.2.KGdzTBQpgz.exe.276cd18.1.raw.unpack, F4RGvMuj4U5T65cao0T2zsRWeZG2uQx8.cs.Net Code: gOIGZopd4222ZUGeO1kt9Nq94tVALXP1 System.AppDomain.Load(byte[])
            Source: 0.2.KGdzTBQpgz.exe.276cd18.1.raw.unpack, F4RGvMuj4U5T65cao0T2zsRWeZG2uQx8.cs.Net Code: m4KehpttNHFLrnvM8ITor8LgDilthTDJ System.AppDomain.Load(byte[])
            Source: 0.2.KGdzTBQpgz.exe.276cd18.1.raw.unpack, F4RGvMuj4U5T65cao0T2zsRWeZG2uQx8.cs.Net Code: m4KehpttNHFLrnvM8ITor8LgDilthTDJ
            Source: 0.2.KGdzTBQpgz.exe.38e74d8.4.raw.unpack, N7154xKbcZRC4LtMTw.cs.Net Code: WmUZv9iqaE System.Reflection.Assembly.Load(byte[])
            Source: 0.2.KGdzTBQpgz.exe.27ba110.2.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
            Source: 0.2.KGdzTBQpgz.exe.3761398.5.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
            Source: 0.2.KGdzTBQpgz.exe.393d0f8.3.raw.unpack, N7154xKbcZRC4LtMTw.cs.Net Code: WmUZv9iqaE System.Reflection.Assembly.Load(byte[])
            Source: 0.2.KGdzTBQpgz.exe.277e9fc.0.raw.unpack, F4RGvMuj4U5T65cao0T2zsRWeZG2uQx8.cs.Net Code: gOIGZopd4222ZUGeO1kt9Nq94tVALXP1 System.AppDomain.Load(byte[])
            Source: 0.2.KGdzTBQpgz.exe.277e9fc.0.raw.unpack, F4RGvMuj4U5T65cao0T2zsRWeZG2uQx8.cs.Net Code: m4KehpttNHFLrnvM8ITor8LgDilthTDJ System.AppDomain.Load(byte[])
            Source: 0.2.KGdzTBQpgz.exe.277e9fc.0.raw.unpack, F4RGvMuj4U5T65cao0T2zsRWeZG2uQx8.cs.Net Code: m4KehpttNHFLrnvM8ITor8LgDilthTDJ
            Source: 0.2.KGdzTBQpgz.exe.73f0000.7.raw.unpack, N7154xKbcZRC4LtMTw.cs.Net Code: WmUZv9iqaE System.Reflection.Assembly.Load(byte[])
            Source: 0.2.KGdzTBQpgz.exe.6fa0000.6.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
            Source: KGdzTBQpgz.exeStatic PE information: 0x90B0FE9B [Tue Dec 4 06:43:39 2046 UTC]
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeCode function: 0_2_070DE4AA pushad ; retf 0_2_070DE4B1
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeCode function: 0_2_071142D9 push ebx; ret 0_2_071142DA
            Source: KGdzTBQpgz.exeStatic PE information: section name: .text entropy: 7.669078378159408
            Source: 0.2.KGdzTBQpgz.exe.276cd18.1.raw.unpack, CHmzyYZA9cgfj3YyRnpXSfYR0bSLRZpZVYv8N6YwZVL0adnscLSd4FBRnCeCtG5BHclVDrGYefh3Kmjs2TERgJrj9B.csHigh entropy of concatenated method names: 'rUrlRFJz30faaab11oHTcakzf5AIlJdvsmXpLNAUhNCIpj0vPL', '_8hd0AxtuVa5N2QkSm7QRnsJdB51FrU0vcMRFKUDo9WQXXILK7O', 'XBaKvfuhxf76waGiEaqVXUATUA9TQ1dWbrqvAziNcgckLtgaZr', 'BFGLVzxnfZ4HfjHCawIZXfjDVgtdEfbRuroXUwWofu8amEHaip'
            Source: 0.2.KGdzTBQpgz.exe.276cd18.1.raw.unpack, mq9QcI7Xrgyz6KYxjx.csHigh entropy of concatenated method names: '_0H7VvUXRvMWg0DHxIG', 'OM7SKlNTOw3pkAzvAQ', 'wh70CxnZQPOCA2ikeM', 'IsbCa5BKwb', 'hdgz22yvVV', 'lwLuif6JI8', '_5SvhFn9TZk', 'VfN0LfoPyz', 'Te736jdmOz', 'jKCT6aH1EM'
            Source: 0.2.KGdzTBQpgz.exe.276cd18.1.raw.unpack, 1DBeL0fJpz6ESB4fPHYA2Ng4YyI86sB5IboGlaYNrhW4CF1qIIrjEfr5XX.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'N7aoDED4EiUmgKudyh5Ppat1FUeMJeP7En0aaumz6QMnClgs7y', '_7XXNVYII33E3Sc8FXzSVNqCJaoKwSS1sI88VRz7HWmhKL2thxK', '_0gIjTVKW9PapISJ6Mcdunyvx1GWpWfW7oZgkAfUDfy5ppa9QfD', 'bR5XLA4JRmRJiqfDq16efkahVAfv2phuK30XIZe52h1ilMpkpX'
            Source: 0.2.KGdzTBQpgz.exe.276cd18.1.raw.unpack, j9Qok6fMJKSSZIinblf0yiUbFfVLHiJ5.csHigh entropy of concatenated method names: '_4Mla20W5B3utOFq8wuF6bgcAchZ2xNCs', 'R1ToEvIz6LMc4OiM9fNQKsbasBE6krOR', 'v9JcPLx2L4e0D9qAxD9OnibJaKq9qrgV', 'Sa2v1gbxX1GaiS54V5dqG2ZZPQ4eVjue', 'JZr1pr3KJDNJR6vnJgJJe4TcbYvvzQZe', 'qwLnweIXdy1pcGusaAlbwT2mUWIssJPW', 'MLf08p4c2kK6kz9UnpWtIm7XlXuMPzpb', 'RoPTiV1OVVcVA3AjffCnDblDgeDLm1kK', 'nfBlWdXEs9wuYCYgGBFokN4uZJd8okXq', 'ctFuKyz5Ac9BzoYnUMbmEepdHXcSQtfw'
            Source: 0.2.KGdzTBQpgz.exe.276cd18.1.raw.unpack, HcQ4iO03N6fzcmrZoUVrBKnFoxaK0bsa.csHigh entropy of concatenated method names: '_98dAAosE3lMGVdoQcEp6QvyJrEo6HF6Q', 'b38mr22MXZlWBlYDPyw4h0aKijYF4Oez', 'Q9GybaqbZino5Z8xkNmYx6olwxjWjk2P', 'gl7kLE9vYQy3Qu4ocJnTGEoEI1kfqADU', 'Q3dFUblFrIIH7YGqx41edXckc0vWeqHAwpOkPDgX1neYOEhJsoYgquxUKiDC3SpXw09', 'KB8P1HrdbVPUkIV2E4L40i0sTjRSOVR3hXuXOyQKj5Cr4UY0rp0ePJInbnl8v7Se7TN', 'qFTsKUu4ttzg2KqXKJhhy7pRwAzufis752ZP91obuFLf11usFGK9mwZmh1zeJxVxx2t', 'TaXbbHEh7LS78WACgSSS8sQmiwCOBJQDYXc4HLRMroVSWi8yYcdFROJoTfBJBSI7OoV', 'jL0vPZkvxb94VfkRs4LCEQyHw7YuDjcQUlAJt0ixJrbKhbxLG6tOGTX8noZIJHHO7xM', '_0QuDN68C20pjju21nyoI8bMgvf7gm3dMU1cnSxeUmYk6w2qluxVor2oAMJOuk3hyE0Y'
            Source: 0.2.KGdzTBQpgz.exe.276cd18.1.raw.unpack, F4RGvMuj4U5T65cao0T2zsRWeZG2uQx8.csHigh entropy of concatenated method names: '_9bjyqOOdTM9fxFh8BtwbGN6SaBXG8CRN', 'gOIGZopd4222ZUGeO1kt9Nq94tVALXP1', 'Kg4wpSabxBU3kQYn68wDwgaZJLOL31bB', 'IZ525wro1Ygb4SdwLGXqdvJVz3APLDki', '_9tdX2eX1NxpTUXQfMcQT3Y4ohPsI3lC4', 'mXd28UpiMMoSXFz6mB2yNLT2CYiHKamu', 'A5mxzzWegS5TetGmJIJ4xZ2rDvLnHyu5', 'wqVngGpOOwusRvaagnCtB8OXUwqx2FzD', 'nQ68vI1LDSEZn12giYTc7pMYiVpKOl2E', 'r7Sw74RAvPmHwRla40j7oR7kwGdNKGUq'
            Source: 0.2.KGdzTBQpgz.exe.276cd18.1.raw.unpack, QlwDLKHYlKx9EEtkonPHg1imYaaW6fCcivuPaRopEADljRsnbH1wJD2HPAeuPSbEDga9JRFZWxCop2RAaVPBHW1i77.csHigh entropy of concatenated method names: 'ZkJhHAMlE7UCkf5ASTYdrJLYx3QU79rxsVnsdV7qveTZj0zIC4C2JUlGR6IpW3d7ti7z43oRUKSCpVyRUFB1phQY7Z', '_4KGy0Ik8eibG4gBt6hHAK2zxd5DsOsfYAQkVaELHfl8fs2MU4QDxeh7aULHVcTOhjgQE1G14ND2QiEaZRdI4LYR754', 'Mz6E2EJcoCkC6THM2FWqaK7RoDUXKPDxWzIaLQLwuNyVEanECrU6lFfwK6MLD1gZMILoiX3Ih0ddK7S2NB2sJtuBU8', 'xdPOGJK3MKzVhq7uZfYNQoA9gA1udWcXNNxNmMvAoLEgYRxIEZgG3jW8RkQkI9yrb48OGzeKCxNy8CCQkYgd0Kp8ka', '_1cquv1UB1CC4GrjhiNm8DFGbS6k4hs10FeiEIln0SjQmF7R4AH', 'OYsTYRAytPyjm1EEJWMRmNHAVtwwx05y8m0h9QNNDgODnFN8gS', 'jTymyHwgvOGLO4S7CAbc8sdmK5QppbXw4fA3bkgPx6ZQSjFnr2', 'tEeV2TU6vuEAsTtpNknuUgBrFcKmoNNuabnodtpvX050ea9SMu', 'M6Cc8bKRn0MTr75tSd5vNkUfYhFsaVoZkTdDGFIBSvY5lIKtYu', '_8c8kFDfUZuMpKJHZv4jVExqQv16BsUtdHIWlEksTZs0herIi50'
            Source: 0.2.KGdzTBQpgz.exe.276cd18.1.raw.unpack, KlMwnJsf8rnNpyquaW4QP4CMY3IDCj7V.csHigh entropy of concatenated method names: 's4CtUhSiaAb00xzAeHKf42A5876fK3Xm', 'QqNECHJmENMfsMNo69XccDF7P7OrC20tCjfVuycdRQUbc11QU00GhuMxXhZfDzTo0rY', 'af69LaoQC8iyzqwgFNtqAwK0BgyFpBwZaLq8plMQC4SihZ7ynndnPaUtw3mYDFkXENZ', 'vcndamzxlyNh7YuNCqD6Qskdj2pE9paLACgYT2CJ6QTGkqunNJ9onH1pTdTZ7bmtVS3', 'VGQk7AbzX5HD8d27cYnrpYdqGM965jvSpY0Dx0gROODVDqrM2XLxOyGq7JfdV7cZ0Os'
            Source: 0.2.KGdzTBQpgz.exe.276cd18.1.raw.unpack, FXGyLuigTPD9Vpab9VsegLmV1pqpKqi7.csHigh entropy of concatenated method names: 't7Npip0kkDyIHLltHjjCaSAVh2smYBe3', '_4J6C0r6YC64Bepxb62OhJb3hIwlizPSN', 'jocDZ0vjxk41iKLQWGWhYCvWpPsew1Zc', 'drqv7umSGBLcs4yTG3OZR0XaGhoFedXO', 'gQdHEEM3vaLurBL9x7ZWh6QA3SUfWRqJ', 'FcTzsZ5zJMCjeWpFG4YnlWL8jUGWigfV', 'KX27SV4GYK72mAmA1sOSIudMrcU2bNO0', 'I5P8HwZjsYTLRqnJlPcTNVfSSmnTM1Bn', 'bkOyM3HyR8PhrlQx2NwVlIrZigTuxMg3', 'JQeUvoyWRXiNTqWuEe'
            Source: 0.2.KGdzTBQpgz.exe.276cd18.1.raw.unpack, dLiNKQaU0GLrnqDgfn9MKAjxEXAjUsCS5VFq7cg58lAoMo8IL0VaN74ez99xHY9Zksv9JRhkiG8BEwAEmtxuRjh1Yh.csHigh entropy of concatenated method names: 'TPYkdhHGwocoMsz560DR5iBMimTJMZdDD3u7a2nIWImThorDJAz4eqBkP7o9dPJTTfbzRxYitnokQJYcZJzZ7DC4Ah', 'GOCsIRC8Q4nxPKHXqlVYZ5dgfivBjQwCe2Kxxdb8IFeOZAtBw364Cv03TkkEffBaNiLarfjxK5whdiy0HE5su59oyk', '_56lKky7HKCiGvvufLeLrKkEFDX4TPeWABW9r7jwwm0C1Pajo9Jm4Z4RcseGY3CFS4Mf6ZD5opEPnAiRNzH12C06bLK', 'bHNyZdkKwRBJNfktdK6VQIb1NuLQoBtcPKZ6tGFucTfTKKm4jqov3mM6W5QJdsC5ZRzpuMduWjqrUpm9P0BBKR741K', 'VLPbdb734DEXFNzNMJgx6QTgA9iwBbyHmvxKyR2MZ0fj4LQvc0zGEPnoe3FIoGbdSfgL0ZqgqkenwCMQ8vr56sefvF', 'BkjLwdSRbbwL5qFgri1oUPFmhQNu9LHADxdc9c6okthNuVy7NZmLKDy0MNxGGB3U7GzNvVebpTCiykI7OawXjMDoER', '_01tZF8RV3h2rgfFjOtKvdXMif2JYt3xkKWHALfjwQKPPUYCmy3bUdFqbzhoi6LLc4YFPxCzeRreuCcNufLIcO6oUIV', '_6XhquSQL9HdoiTuxn16vZj4k0LJKyvlW4Xa10scaf6nNxRSnQ134buuPaVKX3DJnFfoSB7x5aPmh24pxUuR8Lm5AAN', 'E121lUQURp7GbT22eMW3SM98xRasZLYYQTClmUPUd5ZtEcwVp1mbXWd3J99hO7FvZEDSpjochsgOJxarZW14XBML4S', 'f3astxXuqIbWxUwsg1qNdIHO6iQLxwNasUpnluE6W5SV450uJrakPhGsw9rc0hhHz8nsWw7ecZUzp6L4z0txqAfOKq'
            Source: 0.2.KGdzTBQpgz.exe.38e74d8.4.raw.unpack, aqfUeKGFHfs6G2wsiT.csHigh entropy of concatenated method names: 'Dispose', 'IsOPfyS7Ri', 'vaw1Saq6QZ', 'ICh7rkcKMm', 'fWEP5HjWVH', 'FV5PzlluH7', 'ProcessDialogKey', 'Mn41IGInZy', 'OYu1PhfDUM', 'fKW11UXVUw'
            Source: 0.2.KGdzTBQpgz.exe.38e74d8.4.raw.unpack, OwoZILXDOmY3tAiOEZ.csHigh entropy of concatenated method names: 'CcqvHTJ8a', 'RkKFH2wUR', 'WZwXdme3k', 'dgqYIwuj9', 'FplWyPha7', 'dId2WKjFn', 'Hr8776JQAbcw7HiCsG', 'TaAP6cEGr2AIM0UIfV', 'nhDgYDFm4', 'nlOopMCSE'
            Source: 0.2.KGdzTBQpgz.exe.38e74d8.4.raw.unpack, JI27mvinZcybexdFDX.csHigh entropy of concatenated method names: 'JO1xQd4STvPehexuBc7', 'thu6jd4DQXbCiwySKGG', 'UQXwgh7jDU', 'qQFwKRQxJX', 'FbUwoWg5k9', 'ivilDB4sXnaGfpPrstg', 'lhxWe14YGTqImx2k8OE'
            Source: 0.2.KGdzTBQpgz.exe.38e74d8.4.raw.unpack, I0BmUbBtibbhdPQN7k.csHigh entropy of concatenated method names: 'sBqKRLvqGb', 'W56KSaCfTc', 'SiKKlroC0W', 'ULiKuUr0es', 'fWxKa4tusC', 'PiwKmDghFo', 'KZWKb6IP2x', 'h9SKM12Ljb', 'PjPKASlp3S', 'CagKDIHRxV'
            Source: 0.2.KGdzTBQpgz.exe.38e74d8.4.raw.unpack, yksqLRFaE4yTwtp3Bb.csHigh entropy of concatenated method names: 'R3gw6UMmqB', 'b7LwJIG8GW', 'toMwN8tFVo', 'laHwnrPAxT', 'VfVwyZPrGG', 'OKtNrh6qk5', 'c3nNLPHCNY', 'NADN3KEypW', 'rqgNkQVjWM', 'hXjNflo26s'
            Source: 0.2.KGdzTBQpgz.exe.38e74d8.4.raw.unpack, jBCnLMngnIPymosePi.csHigh entropy of concatenated method names: 'ydJpFlMgcl', 'eDlpXdltSM', 'iEtpEk9m20', 'uLYpWhKefZ', 'e6TpTsLtH2', 'HVyp9llZif', 'E3Xphx4CeK', 'BsLpgJI9fc', 'X3vpKTYnEp', 'kpGpoiPtTr'
            Source: 0.2.KGdzTBQpgz.exe.38e74d8.4.raw.unpack, J7mPaJd2ykYXO5gVDu.csHigh entropy of concatenated method names: 'ehGdE0HpM1', 'IGadWGFBMn', 'wgRdRRBqUC', 'VhkdStiicC', 'opkduJFCmn', 'zQcdahIOBD', 'dbtdbfPxOK', 'bSWdMbl0MK', 'hkydDaagoJ', 'oqudHXtSyU'
            Source: 0.2.KGdzTBQpgz.exe.38e74d8.4.raw.unpack, DOvr7D6d3SaYxLf4ry.csHigh entropy of concatenated method names: 'ALAKTtwucW', 'cLrKhQEKCq', 'U4BKKmMjVl', 'gO9KcfrcG6', 'Bm0KVMie6a', 'TnbKOag19u', 'Dispose', 'GZFgsnYXAi', 'v67gJPUJSe', 'alhgpAmEep'
            Source: 0.2.KGdzTBQpgz.exe.38e74d8.4.raw.unpack, D4Bvt5JnPb3qkNjPhK.csHigh entropy of concatenated method names: 'iluPn9Q0bJ', 'LoWPyEBEs7', 'Y7qPqEWJGc', 'JiqPjB8l2A', 'aKYPTv1Dp1', 'VkSP9RcBeZ', 'e0d2XO7lagnWQCTZRK', 'epRljjaRjwUBmAWHU6', 'PpOPPAIlsl', 'XR3PtGBVEq'
            Source: 0.2.KGdzTBQpgz.exe.38e74d8.4.raw.unpack, sx6672zUZVKJmCHZeT.csHigh entropy of concatenated method names: 'INhoXrMG3Q', 'sMHoE9LSOe', 'ASQoWwffTC', 'BwWoRqJrJo', 'lCjoSo5eNd', 'HDeou1x3ng', 'InSoaOeVkt', 'tQooOsK1p8', 'L2MoG84AY5', 'DF4oQsuTpg'
            Source: 0.2.KGdzTBQpgz.exe.38e74d8.4.raw.unpack, uuYkFvCCF1Wde8vGEvn.csHigh entropy of concatenated method names: 'fo8o5rbmEV', 'Hd5ozENpoV', 'UwecItEHkK', 'wQWcPsc1ye', 'GGyc196dcj', 'HCVctt0TW4', 'xTZcZmK5ko', 'ogXc69DPL0', 'rnGcsF6yTC', 'rxecJ2dluU'
            Source: 0.2.KGdzTBQpgz.exe.38e74d8.4.raw.unpack, RTSMdmYbvru8MSASpL.csHigh entropy of concatenated method names: 'pKshkTV5jd', 'Ljph56vTlr', 'LjXgIKv8Xt', 'JRCgPWUUEX', 'HIRhHTTnWQ', 'IJLh4h2Msq', 'WdTh0IW5QO', 'WvYhUFqiyC', 'b30hBdFwsL', 'b43himjSkH'
            Source: 0.2.KGdzTBQpgz.exe.38e74d8.4.raw.unpack, anc9ha9RL05JI1pDAu.csHigh entropy of concatenated method names: 'ThJJUra7Jb', 'mxqJBddl4a', 'cbtJiYqCH5', 'ngpJCXROoW', 'IenJryTBdM', 'HgZJLUxKUT', 'UH8J3bvZai', 'cyLJkpb1pn', 'TEmJfBqGaR', 'h9uJ5kaNPy'
            Source: 0.2.KGdzTBQpgz.exe.38e74d8.4.raw.unpack, c0Sbj4215uWdSFxQoU.csHigh entropy of concatenated method names: 'LbFnG12hjL', 'fdqnQiRxCU', 'xijnvCInns', 'G35nFLvTJx', 'tbBnxwMSiC', 'fBdnXNBj19', 'q8EnYaRji8', 'Nh4nEk0RkK', 'wW3nW0wRSg', 'JJJn2BeM77'
            Source: 0.2.KGdzTBQpgz.exe.38e74d8.4.raw.unpack, PO7PHfICVcHgQ43eum.csHigh entropy of concatenated method names: 'wYwnsu7TsP', 'McbnpITkOE', 'a1hnwuTiFS', 'jDew5TVFY5', 'gIwwzCxPbD', 'tGwnIcbJ6I', 'kCNnPpOIBC', 'h3fn16m49u', 'GoLnt9kmsF', 'jFanZPa2mh'
            Source: 0.2.KGdzTBQpgz.exe.38e74d8.4.raw.unpack, rl4i7vx9xo2GVQBe8K.csHigh entropy of concatenated method names: 'tfOopV9uGp', 'SXEoNrjtgG', 'kwdowZTv8S', 'oEionZeo77', 'iADoKMc2UZ', 'MgWoyj4oSb', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.KGdzTBQpgz.exe.38e74d8.4.raw.unpack, dlcpAvCJZRYC1UoZtt0.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'heZ7KTOsFG', 'BVx7oFRaVV', 'wPg7cuMxPY', 'XhY771iAcL', 'TdK7V8C5IU', 'Dy67eI1lPj', 'PiL7OWbtRS'
            Source: 0.2.KGdzTBQpgz.exe.38e74d8.4.raw.unpack, N7154xKbcZRC4LtMTw.csHigh entropy of concatenated method names: 'uH5t6t3sjZ', 'oLktswR4u3', 'RlVtJDRE6n', 'Rq3tpXqlMN', 'ixptN6yA6C', 'LWJtw0IL5e', 'H8AtnsY0Py', 'aZatyIOOdR', 'DwRt8ae2uo', 'WUTtqob1CS'
            Source: 0.2.KGdzTBQpgz.exe.393d0f8.3.raw.unpack, aqfUeKGFHfs6G2wsiT.csHigh entropy of concatenated method names: 'Dispose', 'IsOPfyS7Ri', 'vaw1Saq6QZ', 'ICh7rkcKMm', 'fWEP5HjWVH', 'FV5PzlluH7', 'ProcessDialogKey', 'Mn41IGInZy', 'OYu1PhfDUM', 'fKW11UXVUw'
            Source: 0.2.KGdzTBQpgz.exe.393d0f8.3.raw.unpack, OwoZILXDOmY3tAiOEZ.csHigh entropy of concatenated method names: 'CcqvHTJ8a', 'RkKFH2wUR', 'WZwXdme3k', 'dgqYIwuj9', 'FplWyPha7', 'dId2WKjFn', 'Hr8776JQAbcw7HiCsG', 'TaAP6cEGr2AIM0UIfV', 'nhDgYDFm4', 'nlOopMCSE'
            Source: 0.2.KGdzTBQpgz.exe.393d0f8.3.raw.unpack, JI27mvinZcybexdFDX.csHigh entropy of concatenated method names: 'JO1xQd4STvPehexuBc7', 'thu6jd4DQXbCiwySKGG', 'UQXwgh7jDU', 'qQFwKRQxJX', 'FbUwoWg5k9', 'ivilDB4sXnaGfpPrstg', 'lhxWe14YGTqImx2k8OE'
            Source: 0.2.KGdzTBQpgz.exe.393d0f8.3.raw.unpack, I0BmUbBtibbhdPQN7k.csHigh entropy of concatenated method names: 'sBqKRLvqGb', 'W56KSaCfTc', 'SiKKlroC0W', 'ULiKuUr0es', 'fWxKa4tusC', 'PiwKmDghFo', 'KZWKb6IP2x', 'h9SKM12Ljb', 'PjPKASlp3S', 'CagKDIHRxV'
            Source: 0.2.KGdzTBQpgz.exe.393d0f8.3.raw.unpack, yksqLRFaE4yTwtp3Bb.csHigh entropy of concatenated method names: 'R3gw6UMmqB', 'b7LwJIG8GW', 'toMwN8tFVo', 'laHwnrPAxT', 'VfVwyZPrGG', 'OKtNrh6qk5', 'c3nNLPHCNY', 'NADN3KEypW', 'rqgNkQVjWM', 'hXjNflo26s'
            Source: 0.2.KGdzTBQpgz.exe.393d0f8.3.raw.unpack, jBCnLMngnIPymosePi.csHigh entropy of concatenated method names: 'ydJpFlMgcl', 'eDlpXdltSM', 'iEtpEk9m20', 'uLYpWhKefZ', 'e6TpTsLtH2', 'HVyp9llZif', 'E3Xphx4CeK', 'BsLpgJI9fc', 'X3vpKTYnEp', 'kpGpoiPtTr'
            Source: 0.2.KGdzTBQpgz.exe.393d0f8.3.raw.unpack, J7mPaJd2ykYXO5gVDu.csHigh entropy of concatenated method names: 'ehGdE0HpM1', 'IGadWGFBMn', 'wgRdRRBqUC', 'VhkdStiicC', 'opkduJFCmn', 'zQcdahIOBD', 'dbtdbfPxOK', 'bSWdMbl0MK', 'hkydDaagoJ', 'oqudHXtSyU'
            Source: 0.2.KGdzTBQpgz.exe.393d0f8.3.raw.unpack, DOvr7D6d3SaYxLf4ry.csHigh entropy of concatenated method names: 'ALAKTtwucW', 'cLrKhQEKCq', 'U4BKKmMjVl', 'gO9KcfrcG6', 'Bm0KVMie6a', 'TnbKOag19u', 'Dispose', 'GZFgsnYXAi', 'v67gJPUJSe', 'alhgpAmEep'
            Source: 0.2.KGdzTBQpgz.exe.393d0f8.3.raw.unpack, D4Bvt5JnPb3qkNjPhK.csHigh entropy of concatenated method names: 'iluPn9Q0bJ', 'LoWPyEBEs7', 'Y7qPqEWJGc', 'JiqPjB8l2A', 'aKYPTv1Dp1', 'VkSP9RcBeZ', 'e0d2XO7lagnWQCTZRK', 'epRljjaRjwUBmAWHU6', 'PpOPPAIlsl', 'XR3PtGBVEq'
            Source: 0.2.KGdzTBQpgz.exe.393d0f8.3.raw.unpack, sx6672zUZVKJmCHZeT.csHigh entropy of concatenated method names: 'INhoXrMG3Q', 'sMHoE9LSOe', 'ASQoWwffTC', 'BwWoRqJrJo', 'lCjoSo5eNd', 'HDeou1x3ng', 'InSoaOeVkt', 'tQooOsK1p8', 'L2MoG84AY5', 'DF4oQsuTpg'
            Source: 0.2.KGdzTBQpgz.exe.393d0f8.3.raw.unpack, uuYkFvCCF1Wde8vGEvn.csHigh entropy of concatenated method names: 'fo8o5rbmEV', 'Hd5ozENpoV', 'UwecItEHkK', 'wQWcPsc1ye', 'GGyc196dcj', 'HCVctt0TW4', 'xTZcZmK5ko', 'ogXc69DPL0', 'rnGcsF6yTC', 'rxecJ2dluU'
            Source: 0.2.KGdzTBQpgz.exe.393d0f8.3.raw.unpack, RTSMdmYbvru8MSASpL.csHigh entropy of concatenated method names: 'pKshkTV5jd', 'Ljph56vTlr', 'LjXgIKv8Xt', 'JRCgPWUUEX', 'HIRhHTTnWQ', 'IJLh4h2Msq', 'WdTh0IW5QO', 'WvYhUFqiyC', 'b30hBdFwsL', 'b43himjSkH'
            Source: 0.2.KGdzTBQpgz.exe.393d0f8.3.raw.unpack, anc9ha9RL05JI1pDAu.csHigh entropy of concatenated method names: 'ThJJUra7Jb', 'mxqJBddl4a', 'cbtJiYqCH5', 'ngpJCXROoW', 'IenJryTBdM', 'HgZJLUxKUT', 'UH8J3bvZai', 'cyLJkpb1pn', 'TEmJfBqGaR', 'h9uJ5kaNPy'
            Source: 0.2.KGdzTBQpgz.exe.393d0f8.3.raw.unpack, c0Sbj4215uWdSFxQoU.csHigh entropy of concatenated method names: 'LbFnG12hjL', 'fdqnQiRxCU', 'xijnvCInns', 'G35nFLvTJx', 'tbBnxwMSiC', 'fBdnXNBj19', 'q8EnYaRji8', 'Nh4nEk0RkK', 'wW3nW0wRSg', 'JJJn2BeM77'
            Source: 0.2.KGdzTBQpgz.exe.393d0f8.3.raw.unpack, PO7PHfICVcHgQ43eum.csHigh entropy of concatenated method names: 'wYwnsu7TsP', 'McbnpITkOE', 'a1hnwuTiFS', 'jDew5TVFY5', 'gIwwzCxPbD', 'tGwnIcbJ6I', 'kCNnPpOIBC', 'h3fn16m49u', 'GoLnt9kmsF', 'jFanZPa2mh'
            Source: 0.2.KGdzTBQpgz.exe.393d0f8.3.raw.unpack, rl4i7vx9xo2GVQBe8K.csHigh entropy of concatenated method names: 'tfOopV9uGp', 'SXEoNrjtgG', 'kwdowZTv8S', 'oEionZeo77', 'iADoKMc2UZ', 'MgWoyj4oSb', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.KGdzTBQpgz.exe.393d0f8.3.raw.unpack, dlcpAvCJZRYC1UoZtt0.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'heZ7KTOsFG', 'BVx7oFRaVV', 'wPg7cuMxPY', 'XhY771iAcL', 'TdK7V8C5IU', 'Dy67eI1lPj', 'PiL7OWbtRS'
            Source: 0.2.KGdzTBQpgz.exe.393d0f8.3.raw.unpack, N7154xKbcZRC4LtMTw.csHigh entropy of concatenated method names: 'uH5t6t3sjZ', 'oLktswR4u3', 'RlVtJDRE6n', 'Rq3tpXqlMN', 'ixptN6yA6C', 'LWJtw0IL5e', 'H8AtnsY0Py', 'aZatyIOOdR', 'DwRt8ae2uo', 'WUTtqob1CS'
            Source: 0.2.KGdzTBQpgz.exe.277e9fc.0.raw.unpack, CHmzyYZA9cgfj3YyRnpXSfYR0bSLRZpZVYv8N6YwZVL0adnscLSd4FBRnCeCtG5BHclVDrGYefh3Kmjs2TERgJrj9B.csHigh entropy of concatenated method names: 'rUrlRFJz30faaab11oHTcakzf5AIlJdvsmXpLNAUhNCIpj0vPL', '_8hd0AxtuVa5N2QkSm7QRnsJdB51FrU0vcMRFKUDo9WQXXILK7O', 'XBaKvfuhxf76waGiEaqVXUATUA9TQ1dWbrqvAziNcgckLtgaZr', 'BFGLVzxnfZ4HfjHCawIZXfjDVgtdEfbRuroXUwWofu8amEHaip'
            Source: 0.2.KGdzTBQpgz.exe.277e9fc.0.raw.unpack, mq9QcI7Xrgyz6KYxjx.csHigh entropy of concatenated method names: '_0H7VvUXRvMWg0DHxIG', 'OM7SKlNTOw3pkAzvAQ', 'wh70CxnZQPOCA2ikeM', 'IsbCa5BKwb', 'hdgz22yvVV', 'lwLuif6JI8', '_5SvhFn9TZk', 'VfN0LfoPyz', 'Te736jdmOz', 'jKCT6aH1EM'
            Source: 0.2.KGdzTBQpgz.exe.277e9fc.0.raw.unpack, 1DBeL0fJpz6ESB4fPHYA2Ng4YyI86sB5IboGlaYNrhW4CF1qIIrjEfr5XX.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'N7aoDED4EiUmgKudyh5Ppat1FUeMJeP7En0aaumz6QMnClgs7y', '_7XXNVYII33E3Sc8FXzSVNqCJaoKwSS1sI88VRz7HWmhKL2thxK', '_0gIjTVKW9PapISJ6Mcdunyvx1GWpWfW7oZgkAfUDfy5ppa9QfD', 'bR5XLA4JRmRJiqfDq16efkahVAfv2phuK30XIZe52h1ilMpkpX'
            Source: 0.2.KGdzTBQpgz.exe.277e9fc.0.raw.unpack, j9Qok6fMJKSSZIinblf0yiUbFfVLHiJ5.csHigh entropy of concatenated method names: '_4Mla20W5B3utOFq8wuF6bgcAchZ2xNCs', 'R1ToEvIz6LMc4OiM9fNQKsbasBE6krOR', 'v9JcPLx2L4e0D9qAxD9OnibJaKq9qrgV', 'Sa2v1gbxX1GaiS54V5dqG2ZZPQ4eVjue', 'JZr1pr3KJDNJR6vnJgJJe4TcbYvvzQZe', 'qwLnweIXdy1pcGusaAlbwT2mUWIssJPW', 'MLf08p4c2kK6kz9UnpWtIm7XlXuMPzpb', 'RoPTiV1OVVcVA3AjffCnDblDgeDLm1kK', 'nfBlWdXEs9wuYCYgGBFokN4uZJd8okXq', 'ctFuKyz5Ac9BzoYnUMbmEepdHXcSQtfw'
            Source: 0.2.KGdzTBQpgz.exe.277e9fc.0.raw.unpack, HcQ4iO03N6fzcmrZoUVrBKnFoxaK0bsa.csHigh entropy of concatenated method names: '_98dAAosE3lMGVdoQcEp6QvyJrEo6HF6Q', 'b38mr22MXZlWBlYDPyw4h0aKijYF4Oez', 'Q9GybaqbZino5Z8xkNmYx6olwxjWjk2P', 'gl7kLE9vYQy3Qu4ocJnTGEoEI1kfqADU', 'Q3dFUblFrIIH7YGqx41edXckc0vWeqHAwpOkPDgX1neYOEhJsoYgquxUKiDC3SpXw09', 'KB8P1HrdbVPUkIV2E4L40i0sTjRSOVR3hXuXOyQKj5Cr4UY0rp0ePJInbnl8v7Se7TN', 'qFTsKUu4ttzg2KqXKJhhy7pRwAzufis752ZP91obuFLf11usFGK9mwZmh1zeJxVxx2t', 'TaXbbHEh7LS78WACgSSS8sQmiwCOBJQDYXc4HLRMroVSWi8yYcdFROJoTfBJBSI7OoV', 'jL0vPZkvxb94VfkRs4LCEQyHw7YuDjcQUlAJt0ixJrbKhbxLG6tOGTX8noZIJHHO7xM', '_0QuDN68C20pjju21nyoI8bMgvf7gm3dMU1cnSxeUmYk6w2qluxVor2oAMJOuk3hyE0Y'
            Source: 0.2.KGdzTBQpgz.exe.277e9fc.0.raw.unpack, F4RGvMuj4U5T65cao0T2zsRWeZG2uQx8.csHigh entropy of concatenated method names: '_9bjyqOOdTM9fxFh8BtwbGN6SaBXG8CRN', 'gOIGZopd4222ZUGeO1kt9Nq94tVALXP1', 'Kg4wpSabxBU3kQYn68wDwgaZJLOL31bB', 'IZ525wro1Ygb4SdwLGXqdvJVz3APLDki', '_9tdX2eX1NxpTUXQfMcQT3Y4ohPsI3lC4', 'mXd28UpiMMoSXFz6mB2yNLT2CYiHKamu', 'A5mxzzWegS5TetGmJIJ4xZ2rDvLnHyu5', 'wqVngGpOOwusRvaagnCtB8OXUwqx2FzD', 'nQ68vI1LDSEZn12giYTc7pMYiVpKOl2E', 'r7Sw74RAvPmHwRla40j7oR7kwGdNKGUq'
            Source: 0.2.KGdzTBQpgz.exe.277e9fc.0.raw.unpack, QlwDLKHYlKx9EEtkonPHg1imYaaW6fCcivuPaRopEADljRsnbH1wJD2HPAeuPSbEDga9JRFZWxCop2RAaVPBHW1i77.csHigh entropy of concatenated method names: 'ZkJhHAMlE7UCkf5ASTYdrJLYx3QU79rxsVnsdV7qveTZj0zIC4C2JUlGR6IpW3d7ti7z43oRUKSCpVyRUFB1phQY7Z', '_4KGy0Ik8eibG4gBt6hHAK2zxd5DsOsfYAQkVaELHfl8fs2MU4QDxeh7aULHVcTOhjgQE1G14ND2QiEaZRdI4LYR754', 'Mz6E2EJcoCkC6THM2FWqaK7RoDUXKPDxWzIaLQLwuNyVEanECrU6lFfwK6MLD1gZMILoiX3Ih0ddK7S2NB2sJtuBU8', 'xdPOGJK3MKzVhq7uZfYNQoA9gA1udWcXNNxNmMvAoLEgYRxIEZgG3jW8RkQkI9yrb48OGzeKCxNy8CCQkYgd0Kp8ka', '_1cquv1UB1CC4GrjhiNm8DFGbS6k4hs10FeiEIln0SjQmF7R4AH', 'OYsTYRAytPyjm1EEJWMRmNHAVtwwx05y8m0h9QNNDgODnFN8gS', 'jTymyHwgvOGLO4S7CAbc8sdmK5QppbXw4fA3bkgPx6ZQSjFnr2', 'tEeV2TU6vuEAsTtpNknuUgBrFcKmoNNuabnodtpvX050ea9SMu', 'M6Cc8bKRn0MTr75tSd5vNkUfYhFsaVoZkTdDGFIBSvY5lIKtYu', '_8c8kFDfUZuMpKJHZv4jVExqQv16BsUtdHIWlEksTZs0herIi50'
            Source: 0.2.KGdzTBQpgz.exe.277e9fc.0.raw.unpack, KlMwnJsf8rnNpyquaW4QP4CMY3IDCj7V.csHigh entropy of concatenated method names: 's4CtUhSiaAb00xzAeHKf42A5876fK3Xm', 'QqNECHJmENMfsMNo69XccDF7P7OrC20tCjfVuycdRQUbc11QU00GhuMxXhZfDzTo0rY', 'af69LaoQC8iyzqwgFNtqAwK0BgyFpBwZaLq8plMQC4SihZ7ynndnPaUtw3mYDFkXENZ', 'vcndamzxlyNh7YuNCqD6Qskdj2pE9paLACgYT2CJ6QTGkqunNJ9onH1pTdTZ7bmtVS3', 'VGQk7AbzX5HD8d27cYnrpYdqGM965jvSpY0Dx0gROODVDqrM2XLxOyGq7JfdV7cZ0Os'
            Source: 0.2.KGdzTBQpgz.exe.277e9fc.0.raw.unpack, FXGyLuigTPD9Vpab9VsegLmV1pqpKqi7.csHigh entropy of concatenated method names: 't7Npip0kkDyIHLltHjjCaSAVh2smYBe3', '_4J6C0r6YC64Bepxb62OhJb3hIwlizPSN', 'jocDZ0vjxk41iKLQWGWhYCvWpPsew1Zc', 'drqv7umSGBLcs4yTG3OZR0XaGhoFedXO', 'gQdHEEM3vaLurBL9x7ZWh6QA3SUfWRqJ', 'FcTzsZ5zJMCjeWpFG4YnlWL8jUGWigfV', 'KX27SV4GYK72mAmA1sOSIudMrcU2bNO0', 'I5P8HwZjsYTLRqnJlPcTNVfSSmnTM1Bn', 'bkOyM3HyR8PhrlQx2NwVlIrZigTuxMg3', 'JQeUvoyWRXiNTqWuEe'
            Source: 0.2.KGdzTBQpgz.exe.277e9fc.0.raw.unpack, dLiNKQaU0GLrnqDgfn9MKAjxEXAjUsCS5VFq7cg58lAoMo8IL0VaN74ez99xHY9Zksv9JRhkiG8BEwAEmtxuRjh1Yh.csHigh entropy of concatenated method names: 'TPYkdhHGwocoMsz560DR5iBMimTJMZdDD3u7a2nIWImThorDJAz4eqBkP7o9dPJTTfbzRxYitnokQJYcZJzZ7DC4Ah', 'GOCsIRC8Q4nxPKHXqlVYZ5dgfivBjQwCe2Kxxdb8IFeOZAtBw364Cv03TkkEffBaNiLarfjxK5whdiy0HE5su59oyk', '_56lKky7HKCiGvvufLeLrKkEFDX4TPeWABW9r7jwwm0C1Pajo9Jm4Z4RcseGY3CFS4Mf6ZD5opEPnAiRNzH12C06bLK', 'bHNyZdkKwRBJNfktdK6VQIb1NuLQoBtcPKZ6tGFucTfTKKm4jqov3mM6W5QJdsC5ZRzpuMduWjqrUpm9P0BBKR741K', 'VLPbdb734DEXFNzNMJgx6QTgA9iwBbyHmvxKyR2MZ0fj4LQvc0zGEPnoe3FIoGbdSfgL0ZqgqkenwCMQ8vr56sefvF', 'BkjLwdSRbbwL5qFgri1oUPFmhQNu9LHADxdc9c6okthNuVy7NZmLKDy0MNxGGB3U7GzNvVebpTCiykI7OawXjMDoER', '_01tZF8RV3h2rgfFjOtKvdXMif2JYt3xkKWHALfjwQKPPUYCmy3bUdFqbzhoi6LLc4YFPxCzeRreuCcNufLIcO6oUIV', '_6XhquSQL9HdoiTuxn16vZj4k0LJKyvlW4Xa10scaf6nNxRSnQ134buuPaVKX3DJnFfoSB7x5aPmh24pxUuR8Lm5AAN', 'E121lUQURp7GbT22eMW3SM98xRasZLYYQTClmUPUd5ZtEcwVp1mbXWd3J99hO7FvZEDSpjochsgOJxarZW14XBML4S', 'f3astxXuqIbWxUwsg1qNdIHO6iQLxwNasUpnluE6W5SV450uJrakPhGsw9rc0hhHz8nsWw7ecZUzp6L4z0txqAfOKq'
            Source: 0.2.KGdzTBQpgz.exe.73f0000.7.raw.unpack, aqfUeKGFHfs6G2wsiT.csHigh entropy of concatenated method names: 'Dispose', 'IsOPfyS7Ri', 'vaw1Saq6QZ', 'ICh7rkcKMm', 'fWEP5HjWVH', 'FV5PzlluH7', 'ProcessDialogKey', 'Mn41IGInZy', 'OYu1PhfDUM', 'fKW11UXVUw'
            Source: 0.2.KGdzTBQpgz.exe.73f0000.7.raw.unpack, OwoZILXDOmY3tAiOEZ.csHigh entropy of concatenated method names: 'CcqvHTJ8a', 'RkKFH2wUR', 'WZwXdme3k', 'dgqYIwuj9', 'FplWyPha7', 'dId2WKjFn', 'Hr8776JQAbcw7HiCsG', 'TaAP6cEGr2AIM0UIfV', 'nhDgYDFm4', 'nlOopMCSE'
            Source: 0.2.KGdzTBQpgz.exe.73f0000.7.raw.unpack, JI27mvinZcybexdFDX.csHigh entropy of concatenated method names: 'JO1xQd4STvPehexuBc7', 'thu6jd4DQXbCiwySKGG', 'UQXwgh7jDU', 'qQFwKRQxJX', 'FbUwoWg5k9', 'ivilDB4sXnaGfpPrstg', 'lhxWe14YGTqImx2k8OE'
            Source: 0.2.KGdzTBQpgz.exe.73f0000.7.raw.unpack, I0BmUbBtibbhdPQN7k.csHigh entropy of concatenated method names: 'sBqKRLvqGb', 'W56KSaCfTc', 'SiKKlroC0W', 'ULiKuUr0es', 'fWxKa4tusC', 'PiwKmDghFo', 'KZWKb6IP2x', 'h9SKM12Ljb', 'PjPKASlp3S', 'CagKDIHRxV'
            Source: 0.2.KGdzTBQpgz.exe.73f0000.7.raw.unpack, yksqLRFaE4yTwtp3Bb.csHigh entropy of concatenated method names: 'R3gw6UMmqB', 'b7LwJIG8GW', 'toMwN8tFVo', 'laHwnrPAxT', 'VfVwyZPrGG', 'OKtNrh6qk5', 'c3nNLPHCNY', 'NADN3KEypW', 'rqgNkQVjWM', 'hXjNflo26s'
            Source: 0.2.KGdzTBQpgz.exe.73f0000.7.raw.unpack, jBCnLMngnIPymosePi.csHigh entropy of concatenated method names: 'ydJpFlMgcl', 'eDlpXdltSM', 'iEtpEk9m20', 'uLYpWhKefZ', 'e6TpTsLtH2', 'HVyp9llZif', 'E3Xphx4CeK', 'BsLpgJI9fc', 'X3vpKTYnEp', 'kpGpoiPtTr'
            Source: 0.2.KGdzTBQpgz.exe.73f0000.7.raw.unpack, J7mPaJd2ykYXO5gVDu.csHigh entropy of concatenated method names: 'ehGdE0HpM1', 'IGadWGFBMn', 'wgRdRRBqUC', 'VhkdStiicC', 'opkduJFCmn', 'zQcdahIOBD', 'dbtdbfPxOK', 'bSWdMbl0MK', 'hkydDaagoJ', 'oqudHXtSyU'
            Source: 0.2.KGdzTBQpgz.exe.73f0000.7.raw.unpack, DOvr7D6d3SaYxLf4ry.csHigh entropy of concatenated method names: 'ALAKTtwucW', 'cLrKhQEKCq', 'U4BKKmMjVl', 'gO9KcfrcG6', 'Bm0KVMie6a', 'TnbKOag19u', 'Dispose', 'GZFgsnYXAi', 'v67gJPUJSe', 'alhgpAmEep'
            Source: 0.2.KGdzTBQpgz.exe.73f0000.7.raw.unpack, D4Bvt5JnPb3qkNjPhK.csHigh entropy of concatenated method names: 'iluPn9Q0bJ', 'LoWPyEBEs7', 'Y7qPqEWJGc', 'JiqPjB8l2A', 'aKYPTv1Dp1', 'VkSP9RcBeZ', 'e0d2XO7lagnWQCTZRK', 'epRljjaRjwUBmAWHU6', 'PpOPPAIlsl', 'XR3PtGBVEq'
            Source: 0.2.KGdzTBQpgz.exe.73f0000.7.raw.unpack, sx6672zUZVKJmCHZeT.csHigh entropy of concatenated method names: 'INhoXrMG3Q', 'sMHoE9LSOe', 'ASQoWwffTC', 'BwWoRqJrJo', 'lCjoSo5eNd', 'HDeou1x3ng', 'InSoaOeVkt', 'tQooOsK1p8', 'L2MoG84AY5', 'DF4oQsuTpg'
            Source: 0.2.KGdzTBQpgz.exe.73f0000.7.raw.unpack, uuYkFvCCF1Wde8vGEvn.csHigh entropy of concatenated method names: 'fo8o5rbmEV', 'Hd5ozENpoV', 'UwecItEHkK', 'wQWcPsc1ye', 'GGyc196dcj', 'HCVctt0TW4', 'xTZcZmK5ko', 'ogXc69DPL0', 'rnGcsF6yTC', 'rxecJ2dluU'
            Source: 0.2.KGdzTBQpgz.exe.73f0000.7.raw.unpack, RTSMdmYbvru8MSASpL.csHigh entropy of concatenated method names: 'pKshkTV5jd', 'Ljph56vTlr', 'LjXgIKv8Xt', 'JRCgPWUUEX', 'HIRhHTTnWQ', 'IJLh4h2Msq', 'WdTh0IW5QO', 'WvYhUFqiyC', 'b30hBdFwsL', 'b43himjSkH'
            Source: 0.2.KGdzTBQpgz.exe.73f0000.7.raw.unpack, anc9ha9RL05JI1pDAu.csHigh entropy of concatenated method names: 'ThJJUra7Jb', 'mxqJBddl4a', 'cbtJiYqCH5', 'ngpJCXROoW', 'IenJryTBdM', 'HgZJLUxKUT', 'UH8J3bvZai', 'cyLJkpb1pn', 'TEmJfBqGaR', 'h9uJ5kaNPy'
            Source: 0.2.KGdzTBQpgz.exe.73f0000.7.raw.unpack, c0Sbj4215uWdSFxQoU.csHigh entropy of concatenated method names: 'LbFnG12hjL', 'fdqnQiRxCU', 'xijnvCInns', 'G35nFLvTJx', 'tbBnxwMSiC', 'fBdnXNBj19', 'q8EnYaRji8', 'Nh4nEk0RkK', 'wW3nW0wRSg', 'JJJn2BeM77'
            Source: 0.2.KGdzTBQpgz.exe.73f0000.7.raw.unpack, PO7PHfICVcHgQ43eum.csHigh entropy of concatenated method names: 'wYwnsu7TsP', 'McbnpITkOE', 'a1hnwuTiFS', 'jDew5TVFY5', 'gIwwzCxPbD', 'tGwnIcbJ6I', 'kCNnPpOIBC', 'h3fn16m49u', 'GoLnt9kmsF', 'jFanZPa2mh'
            Source: 0.2.KGdzTBQpgz.exe.73f0000.7.raw.unpack, rl4i7vx9xo2GVQBe8K.csHigh entropy of concatenated method names: 'tfOopV9uGp', 'SXEoNrjtgG', 'kwdowZTv8S', 'oEionZeo77', 'iADoKMc2UZ', 'MgWoyj4oSb', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.KGdzTBQpgz.exe.73f0000.7.raw.unpack, dlcpAvCJZRYC1UoZtt0.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'heZ7KTOsFG', 'BVx7oFRaVV', 'wPg7cuMxPY', 'XhY771iAcL', 'TdK7V8C5IU', 'Dy67eI1lPj', 'PiL7OWbtRS'
            Source: 0.2.KGdzTBQpgz.exe.73f0000.7.raw.unpack, N7154xKbcZRC4LtMTw.csHigh entropy of concatenated method names: 'uH5t6t3sjZ', 'oLktswR4u3', 'RlVtJDRE6n', 'Rq3tpXqlMN', 'ixptN6yA6C', 'LWJtw0IL5e', 'H8AtnsY0Py', 'aZatyIOOdR', 'DwRt8ae2uo', 'WUTtqob1CS'
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeFile created: C:\Users\user\AppData\Roaming\MicroSoftOutlook.exeJump to dropped file
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicroSoftOutlook.lnkJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicroSoftOutlook.lnkJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: KGdzTBQpgz.exe PID: 7796, type: MEMORYSTR
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeMemory allocated: B70000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeMemory allocated: 2740000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeMemory allocated: 2490000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeMemory allocated: 8B50000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeMemory allocated: 7590000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeMemory allocated: 9B50000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeMemory allocated: AB50000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeMemory allocated: 18D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeMemory allocated: 32D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeMemory allocated: 30D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeWindow / User API: threadDelayed 9224Jump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeWindow / User API: threadDelayed 608Jump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exe TID: 7816Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exe TID: 7280Thread sleep time: -29514790517935264s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: KGdzTBQpgz.exe, 00000002.00000002.3621896763.000000000147A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeMemory written: C:\Users\user\Desktop\KGdzTBQpgz.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeProcess created: C:\Users\user\Desktop\KGdzTBQpgz.exe "C:\Users\user\Desktop\KGdzTBQpgz.exe"Jump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Users\user\Desktop\KGdzTBQpgz.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Users\user\Desktop\KGdzTBQpgz.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: KGdzTBQpgz.exe, 00000002.00000002.3621896763.000000000147A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\KGdzTBQpgz.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: 0.2.KGdzTBQpgz.exe.276cd18.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.KGdzTBQpgz.exe.277e9fc.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.KGdzTBQpgz.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.KGdzTBQpgz.exe.277e9fc.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.KGdzTBQpgz.exe.276cd18.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.3621448752.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1220019091.0000000002741000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.3623352155.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: KGdzTBQpgz.exe PID: 7796, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: KGdzTBQpgz.exe PID: 8000, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: 0.2.KGdzTBQpgz.exe.276cd18.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.KGdzTBQpgz.exe.277e9fc.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.KGdzTBQpgz.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.KGdzTBQpgz.exe.277e9fc.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.KGdzTBQpgz.exe.276cd18.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.3621448752.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1220019091.0000000002741000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.3623352155.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: KGdzTBQpgz.exe PID: 7796, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: KGdzTBQpgz.exe PID: 8000, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation            		2
            Registry Run Keys / Startup Folder            		111
            Process Injection            		1
            Masquerading            		OS Credential Dumping221
            Security Software Discovery            		Remote Services11
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/Job1
            DLL Side-Loading            		2
            Registry Run Keys / Startup Folder            		1
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop ProtocolData from Removable Media1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		131
            Virtualization/Sandbox Evasion            		Security Account Manager131
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture11
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
            Obfuscated Files or Information            		Cached Domain Credentials13
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
            Software Packing            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Timestomp            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            DLL Side-Loading            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.