Loading ...

Play interactive tourEdit tour

Analysis Report IMG_210000355530014_AN6714.scr

Overview

General Information

Sample Name:IMG_210000355530014_AN6714.scr (renamed file extension from scr to exe)
MD5:4e30370a2769ef2fda39aaec9380acb7
SHA1:e554b1eca0e6d6b24adce41bb160cd1d4783def9
SHA256:a2028ac7052677c8828bdbd87741173418ebfe1ab5055747e5ffe9042043103c

Most interesting Screenshot:

Detection

AgentTesla
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AgentTesla
.NET source code contains very large strings
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1197400279.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000002.1202254348.0000000003558000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.796383250.0000000003699000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        Process Memory Space: IMG_210000355530014_AN6714.exe PID: 3636JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          2.2.IMG_210000355530014_AN6714.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for submitted fileShow sources
            Source: IMG_210000355530014_AN6714.exeVirustotal: Detection: 27%Perma Link
            Machine Learning detection for sampleShow sources
            Source: IMG_210000355530014_AN6714.exeJoe Sandbox ML: detected
            Source: 2.2.IMG_210000355530014_AN6714.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

            Source: IMG_210000355530014_AN6714.exe, 00000000.00000003.780231300.0000000005545000.00000004.00000001.sdmpString found in binary or memory: http://en.w
            Source: IMG_210000355530014_AN6714.exe, 00000000.00000002.800998136.00000000056F6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: IMG_210000355530014_AN6714.exe, 00000000.00000002.800998136.00000000056F6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: IMG_210000355530014_AN6714.exe, 00000000.00000003.784868510.0000000005532000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
            Source: IMG_210000355530014_AN6714.exe, 00000000.00000002.800998136.00000000056F6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: IMG_210000355530014_AN6714.exe, 00000000.00000002.800998136.00000000056F6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: IMG_210000355530014_AN6714.exe, 00000000.00000002.800998136.00000000056F6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: IMG_210000355530014_AN6714.exe, 00000000.00000002.800998136.00000000056F6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: IMG_210000355530014_AN6714.exe, 00000000.00000002.800998136.00000000056F6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: IMG_210000355530014_AN6714.exe, 00000000.00000003.780231300.0000000005545000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnS
            Source: IMG_210000355530014_AN6714.exe, 00000000.00000002.800998136.00000000056F6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: IMG_210000355530014_AN6714.exe, 00000000.00000003.782116598.0000000005533000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: IMG_210000355530014_AN6714.exe, 00000000.00000003.782116598.0000000005533000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/%
            Source: IMG_210000355530014_AN6714.exe, 00000000.00000003.782116598.0000000005533000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
            Source: IMG_210000355530014_AN6714.exe, 00000000.00000003.781984776.0000000005533000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0C1
            Source: IMG_210000355530014_AN6714.exe, 00000000.00000003.782116598.0000000005533000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Z
            Source: IMG_210000355530014_AN6714.exe, 00000000.00000003.782116598.0000000005533000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
            Source: IMG_210000355530014_AN6714.exe, 00000000.00000003.781984776.0000000005533000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Z
            Source: IMG_210000355530014_AN6714.exe, 00000000.00000003.782116598.0000000005533000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/m
            Source: IMG_210000355530014_AN6714.exe, 00000000.00000003.782116598.0000000005533000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/oi
            Source: IMG_210000355530014_AN6714.exe, 00000000.00000003.782116598.0000000005533000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/p=hp
            Source: IMG_210000355530014_AN6714.exe, 00000000.00000003.782116598.0000000005533000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/va
            Source: IMG_210000355530014_AN6714.exeString found in binary or memory: http://www.nerfplz.com/2015/05/top-10-ways-to-get-better-at-league-of.html
            Source: IMG_210000355530014_AN6714.exe, 00000000.00000002.800998136.00000000056F6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: IMG_210000355530014_AN6714.exe, 00000000.00000002.800998136.00000000056F6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: IMG_210000355530014_AN6714.exe, 00000000.00000002.800998136.00000000056F6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: IMG_210000355530014_AN6714.exe, 00000000.00000002.800998136.00000000056F6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: IMG_210000355530014_AN6714.exe, 00000000.00000002.800998136.00000000056F6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: IMG_210000355530014_AN6714.exe, 00000000.00000002.800998136.00000000056F6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

            System Summary:

            barindex
            .NET source code contains very large stringsShow sources
            Source: IMG_210000355530014_AN6714.exe, ??O?zBOv?/??XYz?V?ty.csLong String: Length: 13928
            Source: 0.0.IMG_210000355530014_AN6714.exe.200000.0.unpack, ??O?zBOv?/??XYz?V?ty.csLong String: Length: 13928
            Source: 0.2.IMG_210000355530014_AN6714.exe.200000.0.unpack, ??O?zBOv?/??XYz?V?ty.csLong String: Length: 13928
            Source: 1.2.IMG_210000355530014_AN6714.exe.220000.0.unpack, ??O?zBOv?/??XYz?V?ty.csLong String: Length: 13928
            Source: 1.0.IMG_210000355530014_AN6714.exe.220000.0.unpack, ??O?zBOv?/??XYz?V?ty.csLong String: Length: 13928
            Source: 2.2.IMG_210000355530014_AN6714.exe.f50000.1.unpack, ??O?zBOv?/??XYz?V?ty.csLong String: Length: 13928
            Source: 2.0.IMG_210000355530014_AN6714.exe.f50000.0.unpack, ??O?zBOv?/??XYz?V?ty.csLong String: Length: 13928
            Initial sample is a PE file and has a suspicious nameShow sources
            Source: initial sampleStatic PE information: Filename: IMG_210000355530014_AN6714.exe
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeCode function: 0_2_0248C62C0_2_0248C62C
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeCode function: 0_2_0248E6200_2_0248E620
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeCode function: 0_2_0248E6300_2_0248E630
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeCode function: 2_2_018029B02_2_018029B0
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeCode function: 2_2_018078B82_2_018078B8
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeCode function: 2_2_01806B582_2_01806B58
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeCode function: 2_2_0180FA982_2_0180FA98
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeCode function: 2_2_01800D182_2_01800D18
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeCode function: 2_2_0180368C2_2_0180368C
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeCode function: 2_2_018046902_2_01804690
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeCode function: 2_2_0180398A2_2_0180398A
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeCode function: 2_2_018039062_2_01803906
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeCode function: 2_2_018039482_2_01803948
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeCode function: 2_2_0180383B2_2_0180383B
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeCode function: 2_2_0180387D2_2_0180387D
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeCode function: 2_2_0180FA682_2_0180FA68
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeCode function: 2_2_018029B02_2_018029B0
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeCode function: 2_2_01803D072_2_01803D07
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeCode function: 2_2_018004482_2_01800448
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeCode function: 2_2_018034752_2_01803475
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeCode function: 2_2_018037B72_2_018037B7
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeCode function: 2_2_018037F92_2_018037F9
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeCode function: 2_2_018037752_2_01803775
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeCode function: 2_2_018036AA2_2_018036AA
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeCode function: 2_2_018036EC2_2_018036EC
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeCode function: 2_2_018046772_2_01804677
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeCode function: 2_2_067CA3D82_2_067CA3D8
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeCode function: 2_2_067C7BD02_2_067C7BD0
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeCode function: 2_2_067CD9902_2_067CD990
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeCode function: 2_2_067CC8E82_2_067CC8E8
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeCode function: 2_2_067CA9E82_2_067CA9E8
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeCode function: 2_2_067C85842_2_067C8584
            Source: IMG_210000355530014_AN6714.exeBinary or memory string: OriginalFilename vs IMG_210000355530014_AN6714.exe
            Source: IMG_210000355530014_AN6714.exe, 00000000.00000000.772735232.0000000000202000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamexeNRyoOEBGTjzCuPiodQz.exeD vs IMG_210000355530014_AN6714.exe
            Source: IMG_210000355530014_AN6714.exe, 00000000.00000002.795619522.00000000026C5000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePythagoreanModules.dllF vs IMG_210000355530014_AN6714.exe
            Source: IMG_210000355530014_AN6714.exe, 00000000.00000002.795524695.0000000002690000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCYduVcCwXLlWvmVQeJvLxVAMYwNacCjhKHKt.exe4 vs IMG_210000355530014_AN6714.exe
            Source: IMG_210000355530014_AN6714.exeBinary or memory string: OriginalFilename vs IMG_210000355530014_AN6714.exe
            Source: IMG_210000355530014_AN6714.exe, 00000001.00000002.791926546.0000000000222000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamexeNRyoOEBGTjzCuPiodQz.exeD vs IMG_210000355530014_AN6714.exe
            Source: IMG_210000355530014_AN6714.exeBinary or memory string: OriginalFilename vs IMG_210000355530014_AN6714.exe
            Source: IMG_210000355530014_AN6714.exe, 00000002.00000000.792410618.0000000000F52000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamexeNRyoOEBGTjzCuPiodQz.exeD vs IMG_210000355530014_AN6714.exe
            Source: IMG_210000355530014_AN6714.exe, 00000002.00000002.1197400279.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCYduVcCwXLlWvmVQeJvLxVAMYwNacCjhKHKt.exe4 vs IMG_210000355530014_AN6714.exe
            Source: IMG_210000355530014_AN6714.exe, 00000002.00000002.1197657110.0000000001357000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs IMG_210000355530014_AN6714.exe
            Source: IMG_210000355530014_AN6714.exe, 00000002.00000002.1203871894.0000000005A70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs IMG_210000355530014_AN6714.exe
            Source: IMG_210000355530014_AN6714.exeBinary or memory string: OriginalFilenamexeNRyoOEBGTjzCuPiodQz.exeD vs IMG_210000355530014_AN6714.exe
            Source: IMG_210000355530014_AN6714.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: IMG_210000355530014_AN6714.exe, ??O?zBOv?/??XYz?V?ty.csBase64 encoded string: 'JVNJAAADAAAAABAAAAAP77YAAC4AAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAOD65A4AFUBHGSDOABJTGSCVDINFZSA4DSN5TXEYLNEBRWC3TON52CAYTFEBZHK3RANFXCARCPKMQG233EMUXA2DIKEQAAAAAAAAAAAUCFAAAEYAIDADYA5IHYAAAAAAAAAAAABYAABYQQWAIGAAABUAAAAADAAAAAAAAABHRYAAAAAIAAAAAEAAAAAAAEAAAAEAAAAAACAAAAIAAAAAAAAAAAAQAAAAAAAAAAAAEAAAAAAAQAAAAAAAAAAMAEBBIAAAIAAAAQAAAAAAAQAAABAAAAAAAAAAAQAAAAAAAAAAAAAAAAABIDQAAAJMAAAAAAIAAABRADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAAAAYAAAAACDQAAADQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAACAAAAAAAAAAAAAAAAAABAQAAACIAAAAAAAAAAAAAAAAAAXHIZLYOQAAAAFEDAAAAABAAAAAAGQAAAAAEAAAAAAAAAAAAAAAAAAAAAACAAAAMAXHE43SMMAAAAGEAMAAAACAAAAAABAAAAABYAAAAAAAAAAAAAAAAAAAAAAEAAAAIAXHEZLMN5RQAAAMAAAAAADAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAAAAAEAAAAIIAAAAAAAAAAAAAAAAAAAAAAAAAIAOAAAAAAAAAAJAAAAAACAACQBABGAAAMYEAAAAAQAAAAAAAAAACMG4AABOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEMKYCEYLCWARGCYBCQDYAAAFAAABKAAABGMAEAATQAAAAAEAAAEJLAITBMAD6AEAAABD6AIAAABD6AMAAABBIAYAAABQAOIAQAADQBI4AAAAAAADCUAATGABAADQAAAAAEAAACEVQEJQWAAKAUOAAAAAAABRKAAAFMKYCEYLAAAYWTIBRPGQDDCNCQBQAAADAAKQAABVCWARGCYVQEJQWAIUA6AAABIAAAAYEAUUAMAAAAYACUAATGACABIYAAAAAGAAACEVQEJQWCYUAWAAAAY4YQAAAAATCABAAAAADQSAAAAACQEAAAAFAOKANAAAAM3YRAAAAUFUMAMAAAAIUN4JAAAAKEYQAKAAAAALTUIAAAAACMBRIA4AAABQDFAEAAAAGBM4ML77774QAIAAAAD7A4AQA7YGAEACFAYAAAAAKAAAAAEYAAAAJX77777CP7777BIAAAABDAAAAAIACAAAAAOGZ77776AACAQUASAAAAYFDRLH7777SMIADAAAAAOGA77776KQACMYAMAB4AEAAABAAAAISWARGCYQACAAAAA4KQAAAAABG6EYAAAFBGBQSAYUBIAAABIFSABQAAAADRDQAAAAAAFQKEACQAAAAHCAQAAAAA4DVUGS2BQEI2FQAAAAQ2FQTA44EYAAAAAABMEYIHAXAAAAAAABBCBYRBBXRKAAABIJQSEQJFALAAAAKFALQAAAKCYEQMGRIDAAAACQAAYNFQCQACEEBOWATBAIQQB76AQJQUEIKHLCP7777AAIQOF2YCMDRCBYH7YCBGCYRBM5KN777744DEAAAAAQACAAAAD7A4DIA7YGA2ACFBAAAAABJAAAAATP7777RUAAAAAUQAAAAJEAAAABT77776WX7777VSAAAAAUAYAAAAYUAWAAAAY4T6AAAAATCAAAAAAADRQP7777QAEIFCMGCABYAAAADRMX7777QSFRIDEAAACQTAQIQJDIWAAAACEYFBENBCBIWCECY42JIDAAAACRYZT7777ZGEABAAAAAHCBP7777HAAAAAAACEGCUEZQAYABKAIAAACQAAARFMBCMFRAAAAAAABYMMAAAAAACYFCABIAAAABMOKVAAAAAJRIBYAAABQDN4NAAAAKBMBAFDTJC7NJCH3QMEGAFDTJC7LI2FQAAAAQ2FRIBMAAABRZJUAAAABGEAAQAAAAHAOAAAAAAKHGSF62CMCBMEYFHAXAAAAAEAAAAAAA7YHAQAH6BQEAARIHAAAAA7H77774H77777B77777AAAAAAAQAAAABC77777XWAAAAA4AWAAAAATCABAAAAADRT77777TQLYAAAAAACIRAUBBCBMRBBQQOBURMG2JYBQDN4NQAAAKC7NEABQAAAABMOADAAAAABQX2YFAAEIFC7LBGBIRAUIQJ7QCC37ACEYGCEDDVP77777QSAUONEMNUF6WRULAAAABFAHQAAAGOQAQAAA3BUERGBZAAYAAAABYMT7777ZYAAAAAAARA4VAAAAACMYAGABPAAAAABQAAAISWARGCYAAG4QDAAAHAKA4AAAAUKA5AAAAU4Y6AAAAUCQGAJXR6AAABJ2BKAAAAEFTQAAAAAAAOKQACMYAGAFEAAAAABYAAAISWARGCYVQEJQWFAGAAAAGFAFQAAAGHGAQAAAAEYQAIAAAAAUAYAAAAY5DWAAAAA4DMAAAABZACAAAOCAAGAAAAQQAKAAAAAUAYAAAAY4R2AAAAATHEAIAABYIAAQAAACDRV77777SABAAAAAP4DQAAD7AYAAAIUDAAAAABIAAAAAUAAAABLP77774P77774FAAAAAEQAAAABAAIAAAABY3H77773SAEAAA4EAAEAAABBYV37777ZGEABQAAAAHC777777FINCWARGCYLSUAA2FMBCMFQWFIAEUKYCEYLP4CIAAD7ASAIAN4QAAAAKFIAC4KYCEYLAAKBBAAAAUKSOFMBCMFQA7YEQAAH6BEAQAKBCAAAAUKSGFMBCMFRLAITBMARIB4AAACQAAAVAAAATGABQBNAAAAAAQAA
            Source: 0.0.IMG_210000355530014_AN6714.exe.200000.0.unpack, ??O?zBOv?/??XYz?V?ty.csBase64 encoded string: 'JVNJAAADAAAAABAAAAAP77YAAC4AAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAOD65A4AFUBHGSDOABJTGSCVDINFZSA4DSN5TXEYLNEBRWC3TON52CAYTFEBZHK3RANFXCARCPKMQG233EMUXA2DIKEQAAAAAAAAAAAUCFAAAEYAIDADYA5IHYAAAAAAAAAAAABYAABYQQWAIGAAABUAAAAADAAAAAAAAABHRYAAAAAIAAAAAEAAAAAAAEAAAAEAAAAAACAAAAIAAAAAAAAAAAAQAAAAAAAAAAAAEAAAAAAAQAAAAAAAAAAMAEBBIAAAIAAAAQAAAAAAAQAAABAAAAAAAAAAAQAAAAAAAAAAAAAAAAABIDQAAAJMAAAAAAIAAABRADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAAAAYAAAAACDQAAADQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAACAAAAAAAAAAAAAAAAAABAQAAACIAAAAAAAAAAAAAAAAAAXHIZLYOQAAAAFEDAAAAABAAAAAAGQAAAAAEAAAAAAAAAAAAAAAAAAAAAACAAAAMAXHE43SMMAAAAGEAMAAAACAAAAAABAAAAABYAAAAAAAAAAAAAAAAAAAAAAEAAAAIAXHEZLMN5RQAAAMAAAAAADAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAAAAAEAAAAIIAAAAAAAAAAAAAAAAAAAAAAAAAIAOAAAAAAAAAAJAAAAAACAACQBABGAAAMYEAAAAAQAAAAAAAAAACMG4AABOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEMKYCEYLCWARGCYBCQDYAAAFAAABKAAABGMAEAATQAAAAAEAAAEJLAITBMAD6AEAAABD6AIAAABD6AMAAABBIAYAAABQAOIAQAADQBI4AAAAAAADCUAATGABAADQAAAAAEAAACEVQEJQWAAKAUOAAAAAAABRKAAAFMKYCEYLAAAYWTIBRPGQDDCNCQBQAAADAAKQAABVCWARGCYVQEJQWAIUA6AAABIAAAAYEAUUAMAAAAYACUAATGACABIYAAAAAGAAACEVQEJQWCYUAWAAAAY4YQAAAAATCABAAAAADQSAAAAACQEAAAAFAOKANAAAAM3YRAAAAUFUMAMAAAAIUN4JAAAAKEYQAKAAAAALTUIAAAAACMBRIA4AAABQDFAEAAAAGBM4ML77774QAIAAAAD7A4AQA7YGAEACFAYAAAAAKAAAAAEYAAAAJX77777CP7777BIAAAABDAAAAAIACAAAAAOGZ77776AACAQUASAAAAYFDRLH7777SMIADAAAAAOGA77776KQACMYAMAB4AEAAABAAAAISWARGCYQACAAAAA4KQAAAAABG6EYAAAFBGBQSAYUBIAAABIFSABQAAAADRDQAAAAAAFQKEACQAAAAHCAQAAAAA4DVUGS2BQEI2FQAAAAQ2FQTA44EYAAAAAABMEYIHAXAAAAAAABBCBYRBBXRKAAABIJQSEQJFALAAAAKFALQAAAKCYEQMGRIDAAAACQAAYNFQCQACEEBOWATBAIQQB76AQJQUEIKHLCP7777AAIQOF2YCMDRCBYH7YCBGCYRBM5KN777744DEAAAAAQACAAAAD7A4DIA7YGA2ACFBAAAAABJAAAAATP7777RUAAAAAUQAAAAJEAAAABT77776WX7777VSAAAAAUAYAAAAYUAWAAAAY4T6AAAAATCAAAAAAADRQP7777QAEIFCMGCABYAAAADRMX7777QSFRIDEAAACQTAQIQJDIWAAAACEYFBENBCBIWCECY42JIDAAAACRYZT7777ZGEABAAAAAHCBP7777HAAAAAAACEGCUEZQAYABKAIAAACQAAARFMBCMFRAAAAAAABYMMAAAAAACYFCABIAAAABMOKVAAAAAJRIBYAAABQDN4NAAAAKBMBAFDTJC7NJCH3QMEGAFDTJC7LI2FQAAAAQ2FRIBMAAABRZJUAAAABGEAAQAAAAHAOAAAAAAKHGSF62CMCBMEYFHAXAAAAAEAAAAAAA7YHAQAH6BQEAARIHAAAAA7H77774H77777B77777AAAAAAAQAAAABC77777XWAAAAA4AWAAAAATCABAAAAADRT77777TQLYAAAAAACIRAUBBCBMRBBQQOBURMG2JYBQDN4NQAAAKC7NEABQAAAABMOADAAAAABQX2YFAAEIFC7LBGBIRAUIQJ7QCC37ACEYGCEDDVP77777QSAUONEMNUF6WRULAAAABFAHQAAAGOQAQAAA3BUERGBZAAYAAAABYMT7777ZYAAAAAAARA4VAAAAACMYAGABPAAAAABQAAAISWARGCYAAG4QDAAAHAKA4AAAAUKA5AAAAU4Y6AAAAUCQGAJXR6AAABJ2BKAAAAEFTQAAAAAAAOKQACMYAGAFEAAAAABYAAAISWARGCYVQEJQWFAGAAAAGFAFQAAAGHGAQAAAAEYQAIAAAAAUAYAAAAY5DWAAAAA4DMAAAABZACAAAOCAAGAAAAQQAKAAAAAUAYAAAAY4R2AAAAATHEAIAABYIAAQAAACDRV77777SABAAAAAP4DQAAD7AYAAAIUDAAAAABIAAAAAUAAAABLP77774P77774FAAAAAEQAAAABAAIAAAABY3H77773SAEAAA4EAAEAAABBYV37777ZGEABQAAAAHC777777FINCWARGCYLSUAA2FMBCMFQWFIAEUKYCEYLP4CIAAD7ASAIAN4QAAAAKFIAC4KYCEYLAAKBBAAAAUKSOFMBCMFQA7YEQAAH6BEAQAKBCAAAAUKSGFMBCMFRLAITBMARIB4AAACQAAAVAAAATGABQBNAAAAAAQAA
            Source: 0.2.IMG_210000355530014_AN6714.exe.200000.0.unpack, ??O?zBOv?/??XYz?V?ty.csBase64 encoded string: 'JVNJAAADAAAAABAAAAAP77YAAC4AAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAOD65A4AFUBHGSDOABJTGSCVDINFZSA4DSN5TXEYLNEBRWC3TON52CAYTFEBZHK3RANFXCARCPKMQG233EMUXA2DIKEQAAAAAAAAAAAUCFAAAEYAIDADYA5IHYAAAAAAAAAAAABYAABYQQWAIGAAABUAAAAADAAAAAAAAABHRYAAAAAIAAAAAEAAAAAAAEAAAAEAAAAAACAAAAIAAAAAAAAAAAAQAAAAAAAAAAAAEAAAAAAAQAAAAAAAAAAMAEBBIAAAIAAAAQAAAAAAAQAAABAAAAAAAAAAAQAAAAAAAAAAAAAAAAABIDQAAAJMAAAAAAIAAABRADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAAAAYAAAAACDQAAADQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAACAAAAAAAAAAAAAAAAAABAQAAACIAAAAAAAAAAAAAAAAAAXHIZLYOQAAAAFEDAAAAABAAAAAAGQAAAAAEAAAAAAAAAAAAAAAAAAAAAACAAAAMAXHE43SMMAAAAGEAMAAAACAAAAAABAAAAABYAAAAAAAAAAAAAAAAAAAAAAEAAAAIAXHEZLMN5RQAAAMAAAAAADAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAAAAAEAAAAIIAAAAAAAAAAAAAAAAAAAAAAAAAIAOAAAAAAAAAAJAAAAAACAACQBABGAAAMYEAAAAAQAAAAAAAAAACMG4AABOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEMKYCEYLCWARGCYBCQDYAAAFAAABKAAABGMAEAATQAAAAAEAAAEJLAITBMAD6AEAAABD6AIAAABD6AMAAABBIAYAAABQAOIAQAADQBI4AAAAAAADCUAATGABAADQAAAAAEAAACEVQEJQWAAKAUOAAAAAAABRKAAAFMKYCEYLAAAYWTIBRPGQDDCNCQBQAAADAAKQAABVCWARGCYVQEJQWAIUA6AAABIAAAAYEAUUAMAAAAYACUAATGACABIYAAAAAGAAACEVQEJQWCYUAWAAAAY4YQAAAAATCABAAAAADQSAAAAACQEAAAAFAOKANAAAAM3YRAAAAUFUMAMAAAAIUN4JAAAAKEYQAKAAAAALTUIAAAAACMBRIA4AAABQDFAEAAAAGBM4ML77774QAIAAAAD7A4AQA7YGAEACFAYAAAAAKAAAAAEYAAAAJX77777CP7777BIAAAABDAAAAAIACAAAAAOGZ77776AACAQUASAAAAYFDRLH7777SMIADAAAAAOGA77776KQACMYAMAB4AEAAABAAAAISWARGCYQACAAAAA4KQAAAAABG6EYAAAFBGBQSAYUBIAAABIFSABQAAAADRDQAAAAAAFQKEACQAAAAHCAQAAAAA4DVUGS2BQEI2FQAAAAQ2FQTA44EYAAAAAABMEYIHAXAAAAAAABBCBYRBBXRKAAABIJQSEQJFALAAAAKFALQAAAKCYEQMGRIDAAAACQAAYNFQCQACEEBOWATBAIQQB76AQJQUEIKHLCP7777AAIQOF2YCMDRCBYH7YCBGCYRBM5KN777744DEAAAAAQACAAAAD7A4DIA7YGA2ACFBAAAAABJAAAAATP7777RUAAAAAUQAAAAJEAAAABT77776WX7777VSAAAAAUAYAAAAYUAWAAAAY4T6AAAAATCAAAAAAADRQP7777QAEIFCMGCABYAAAADRMX7777QSFRIDEAAACQTAQIQJDIWAAAACEYFBENBCBIWCECY42JIDAAAACRYZT7777ZGEABAAAAAHCBP7777HAAAAAAACEGCUEZQAYABKAIAAACQAAARFMBCMFRAAAAAAABYMMAAAAAACYFCABIAAAABMOKVAAAAAJRIBYAAABQDN4NAAAAKBMBAFDTJC7NJCH3QMEGAFDTJC7LI2FQAAAAQ2FRIBMAAABRZJUAAAABGEAAQAAAAHAOAAAAAAKHGSF62CMCBMEYFHAXAAAAAEAAAAAAA7YHAQAH6BQEAARIHAAAAA7H77774H77777B77777AAAAAAAQAAAABC77777XWAAAAA4AWAAAAATCABAAAAADRT77777TQLYAAAAAACIRAUBBCBMRBBQQOBURMG2JYBQDN4NQAAAKC7NEABQAAAABMOADAAAAABQX2YFAAEIFC7LBGBIRAUIQJ7QCC37ACEYGCEDDVP77777QSAUONEMNUF6WRULAAAABFAHQAAAGOQAQAAA3BUERGBZAAYAAAABYMT7777ZYAAAAAAARA4VAAAAACMYAGABPAAAAABQAAAISWARGCYAAG4QDAAAHAKA4AAAAUKA5AAAAU4Y6AAAAUCQGAJXR6AAABJ2BKAAAAEFTQAAAAAAAOKQACMYAGAFEAAAAABYAAAISWARGCYVQEJQWFAGAAAAGFAFQAAAGHGAQAAAAEYQAIAAAAAUAYAAAAY5DWAAAAA4DMAAAABZACAAAOCAAGAAAAQQAKAAAAAUAYAAAAY4R2AAAAATHEAIAABYIAAQAAACDRV77777SABAAAAAP4DQAAD7AYAAAIUDAAAAABIAAAAAUAAAABLP77774P77774FAAAAAEQAAAABAAIAAAABY3H77773SAEAAA4EAAEAAABBYV37777ZGEABQAAAAHC777777FINCWARGCYLSUAA2FMBCMFQWFIAEUKYCEYLP4CIAAD7ASAIAN4QAAAAKFIAC4KYCEYLAAKBBAAAAUKSOFMBCMFQA7YEQAAH6BEAQAKBCAAAAUKSGFMBCMFRLAITBMARIB4AAACQAAAVAAAATGABQBNAAAAAAQAA
            Source: 1.2.IMG_210000355530014_AN6714.exe.220000.0.unpack, ??O?zBOv?/??XYz?V?ty.csBase64 encoded string: 'JVNJAAADAAAAABAAAAAP77YAAC4AAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAOD65A4AFUBHGSDOABJTGSCVDINFZSA4DSN5TXEYLNEBRWC3TON52CAYTFEBZHK3RANFXCARCPKMQG233EMUXA2DIKEQAAAAAAAAAAAUCFAAAEYAIDADYA5IHYAAAAAAAAAAAABYAABYQQWAIGAAABUAAAAADAAAAAAAAABHRYAAAAAIAAAAAEAAAAAAAEAAAAEAAAAAACAAAAIAAAAAAAAAAAAQAAAAAAAAAAAAEAAAAAAAQAAAAAAAAAAMAEBBIAAAIAAAAQAAAAAAAQAAABAAAAAAAAAAAQAAAAAAAAAAAAAAAAABIDQAAAJMAAAAAAIAAABRADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAAAAYAAAAACDQAAADQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAACAAAAAAAAAAAAAAAAAABAQAAACIAAAAAAAAAAAAAAAAAAXHIZLYOQAAAAFEDAAAAABAAAAAAGQAAAAAEAAAAAAAAAAAAAAAAAAAAAACAAAAMAXHE43SMMAAAAGEAMAAAACAAAAAABAAAAABYAAAAAAAAAAAAAAAAAAAAAAEAAAAIAXHEZLMN5RQAAAMAAAAAADAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAAAAAEAAAAIIAAAAAAAAAAAAAAAAAAAAAAAAAIAOAAAAAAAAAAJAAAAAACAACQBABGAAAMYEAAAAAQAAAAAAAAAACMG4AABOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEMKYCEYLCWARGCYBCQDYAAAFAAABKAAABGMAEAATQAAAAAEAAAEJLAITBMAD6AEAAABD6AIAAABD6AMAAABBIAYAAABQAOIAQAADQBI4AAAAAAADCUAATGABAADQAAAAAEAAACEVQEJQWAAKAUOAAAAAAABRKAAAFMKYCEYLAAAYWTIBRPGQDDCNCQBQAAADAAKQAABVCWARGCYVQEJQWAIUA6AAABIAAAAYEAUUAMAAAAYACUAATGACABIYAAAAAGAAACEVQEJQWCYUAWAAAAY4YQAAAAATCABAAAAADQSAAAAACQEAAAAFAOKANAAAAM3YRAAAAUFUMAMAAAAIUN4JAAAAKEYQAKAAAAALTUIAAAAACMBRIA4AAABQDFAEAAAAGBM4ML77774QAIAAAAD7A4AQA7YGAEACFAYAAAAAKAAAAAEYAAAAJX77777CP7777BIAAAABDAAAAAIACAAAAAOGZ77776AACAQUASAAAAYFDRLH7777SMIADAAAAAOGA77776KQACMYAMAB4AEAAABAAAAISWARGCYQACAAAAA4KQAAAAABG6EYAAAFBGBQSAYUBIAAABIFSABQAAAADRDQAAAAAAFQKEACQAAAAHCAQAAAAA4DVUGS2BQEI2FQAAAAQ2FQTA44EYAAAAAABMEYIHAXAAAAAAABBCBYRBBXRKAAABIJQSEQJFALAAAAKFALQAAAKCYEQMGRIDAAAACQAAYNFQCQACEEBOWATBAIQQB76AQJQUEIKHLCP7777AAIQOF2YCMDRCBYH7YCBGCYRBM5KN777744DEAAAAAQACAAAAD7A4DIA7YGA2ACFBAAAAABJAAAAATP7777RUAAAAAUQAAAAJEAAAABT77776WX7777VSAAAAAUAYAAAAYUAWAAAAY4T6AAAAATCAAAAAAADRQP7777QAEIFCMGCABYAAAADRMX7777QSFRIDEAAACQTAQIQJDIWAAAACEYFBENBCBIWCECY42JIDAAAACRYZT7777ZGEABAAAAAHCBP7777HAAAAAAACEGCUEZQAYABKAIAAACQAAARFMBCMFRAAAAAAABYMMAAAAAACYFCABIAAAABMOKVAAAAAJRIBYAAABQDN4NAAAAKBMBAFDTJC7NJCH3QMEGAFDTJC7LI2FQAAAAQ2FRIBMAAABRZJUAAAABGEAAQAAAAHAOAAAAAAKHGSF62CMCBMEYFHAXAAAAAEAAAAAAA7YHAQAH6BQEAARIHAAAAA7H77774H77777B77777AAAAAAAQAAAABC77777XWAAAAA4AWAAAAATCABAAAAADRT77777TQLYAAAAAACIRAUBBCBMRBBQQOBURMG2JYBQDN4NQAAAKC7NEABQAAAABMOADAAAAABQX2YFAAEIFC7LBGBIRAUIQJ7QCC37ACEYGCEDDVP77777QSAUONEMNUF6WRULAAAABFAHQAAAGOQAQAAA3BUERGBZAAYAAAABYMT7777ZYAAAAAAARA4VAAAAACMYAGABPAAAAABQAAAISWARGCYAAG4QDAAAHAKA4AAAAUKA5AAAAU4Y6AAAAUCQGAJXR6AAABJ2BKAAAAEFTQAAAAAAAOKQACMYAGAFEAAAAABYAAAISWARGCYVQEJQWFAGAAAAGFAFQAAAGHGAQAAAAEYQAIAAAAAUAYAAAAY5DWAAAAA4DMAAAABZACAAAOCAAGAAAAQQAKAAAAAUAYAAAAY4R2AAAAATHEAIAABYIAAQAAACDRV77777SABAAAAAP4DQAAD7AYAAAIUDAAAAABIAAAAAUAAAABLP77774P77774FAAAAAEQAAAABAAIAAAABY3H77773SAEAAA4EAAEAAABBYV37777ZGEABQAAAAHC777777FINCWARGCYLSUAA2FMBCMFQWFIAEUKYCEYLP4CIAAD7ASAIAN4QAAAAKFIAC4KYCEYLAAKBBAAAAUKSOFMBCMFQA7YEQAAH6BEAQAKBCAAAAUKSGFMBCMFRLAITBMARIB4AAACQAAAVAAAATGABQBNAAAAAAQAA
            Source: 1.0.IMG_210000355530014_AN6714.exe.220000.0.unpack, ??O?zBOv?/??XYz?V?ty.csBase64 encoded string: 'JVNJAAADAAAAABAAAAAP77YAAC4AAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAOD65A4AFUBHGSDOABJTGSCVDINFZSA4DSN5TXEYLNEBRWC3TON52CAYTFEBZHK3RANFXCARCPKMQG233EMUXA2DIKEQAAAAAAAAAAAUCFAAAEYAIDADYA5IHYAAAAAAAAAAAABYAABYQQWAIGAAABUAAAAADAAAAAAAAABHRYAAAAAIAAAAAEAAAAAAAEAAAAEAAAAAACAAAAIAAAAAAAAAAAAQAAAAAAAAAAAAEAAAAAAAQAAAAAAAAAAMAEBBIAAAIAAAAQAAAAAAAQAAABAAAAAAAAAAAQAAAAAAAAAAAAAAAAABIDQAAAJMAAAAAAIAAABRADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAAAAYAAAAACDQAAADQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAACAAAAAAAAAAAAAAAAAABAQAAACIAAAAAAAAAAAAAAAAAAXHIZLYOQAAAAFEDAAAAABAAAAAAGQAAAAAEAAAAAAAAAAAAAAAAAAAAAACAAAAMAXHE43SMMAAAAGEAMAAAACAAAAAABAAAAABYAAAAAAAAAAAAAAAAAAAAAAEAAAAIAXHEZLMN5RQAAAMAAAAAADAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAAAAAEAAAAIIAAAAAAAAAAAAAAAAAAAAAAAAAIAOAAAAAAAAAAJAAAAAACAACQBABGAAAMYEAAAAAQAAAAAAAAAACMG4AABOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEMKYCEYLCWARGCYBCQDYAAAFAAABKAAABGMAEAATQAAAAAEAAAEJLAITBMAD6AEAAABD6AIAAABD6AMAAABBIAYAAABQAOIAQAADQBI4AAAAAAADCUAATGABAADQAAAAAEAAACEVQEJQWAAKAUOAAAAAAABRKAAAFMKYCEYLAAAYWTIBRPGQDDCNCQBQAAADAAKQAABVCWARGCYVQEJQWAIUA6AAABIAAAAYEAUUAMAAAAYACUAATGACABIYAAAAAGAAACEVQEJQWCYUAWAAAAY4YQAAAAATCABAAAAADQSAAAAACQEAAAAFAOKANAAAAM3YRAAAAUFUMAMAAAAIUN4JAAAAKEYQAKAAAAALTUIAAAAACMBRIA4AAABQDFAEAAAAGBM4ML77774QAIAAAAD7A4AQA7YGAEACFAYAAAAAKAAAAAEYAAAAJX77777CP7777BIAAAABDAAAAAIACAAAAAOGZ77776AACAQUASAAAAYFDRLH7777SMIADAAAAAOGA77776KQACMYAMAB4AEAAABAAAAISWARGCYQACAAAAA4KQAAAAABG6EYAAAFBGBQSAYUBIAAABIFSABQAAAADRDQAAAAAAFQKEACQAAAAHCAQAAAAA4DVUGS2BQEI2FQAAAAQ2FQTA44EYAAAAAABMEYIHAXAAAAAAABBCBYRBBXRKAAABIJQSEQJFALAAAAKFALQAAAKCYEQMGRIDAAAACQAAYNFQCQACEEBOWATBAIQQB76AQJQUEIKHLCP7777AAIQOF2YCMDRCBYH7YCBGCYRBM5KN777744DEAAAAAQACAAAAD7A4DIA7YGA2ACFBAAAAABJAAAAATP7777RUAAAAAUQAAAAJEAAAABT77776WX7777VSAAAAAUAYAAAAYUAWAAAAY4T6AAAAATCAAAAAAADRQP7777QAEIFCMGCABYAAAADRMX7777QSFRIDEAAACQTAQIQJDIWAAAACEYFBENBCBIWCECY42JIDAAAACRYZT7777ZGEABAAAAAHCBP7777HAAAAAAACEGCUEZQAYABKAIAAACQAAARFMBCMFRAAAAAAABYMMAAAAAACYFCABIAAAABMOKVAAAAAJRIBYAAABQDN4NAAAAKBMBAFDTJC7NJCH3QMEGAFDTJC7LI2FQAAAAQ2FRIBMAAABRZJUAAAABGEAAQAAAAHAOAAAAAAKHGSF62CMCBMEYFHAXAAAAAEAAAAAAA7YHAQAH6BQEAARIHAAAAA7H77774H77777B77777AAAAAAAQAAAABC77777XWAAAAA4AWAAAAATCABAAAAADRT77777TQLYAAAAAACIRAUBBCBMRBBQQOBURMG2JYBQDN4NQAAAKC7NEABQAAAABMOADAAAAABQX2YFAAEIFC7LBGBIRAUIQJ7QCC37ACEYGCEDDVP77777QSAUONEMNUF6WRULAAAABFAHQAAAGOQAQAAA3BUERGBZAAYAAAABYMT7777ZYAAAAAAARA4VAAAAACMYAGABPAAAAABQAAAISWARGCYAAG4QDAAAHAKA4AAAAUKA5AAAAU4Y6AAAAUCQGAJXR6AAABJ2BKAAAAEFTQAAAAAAAOKQACMYAGAFEAAAAABYAAAISWARGCYVQEJQWFAGAAAAGFAFQAAAGHGAQAAAAEYQAIAAAAAUAYAAAAY5DWAAAAA4DMAAAABZACAAAOCAAGAAAAQQAKAAAAAUAYAAAAY4R2AAAAATHEAIAABYIAAQAAACDRV77777SABAAAAAP4DQAAD7AYAAAIUDAAAAABIAAAAAUAAAABLP77774P77774FAAAAAEQAAAABAAIAAAABY3H77773SAEAAA4EAAEAAABBYV37777ZGEABQAAAAHC777777FINCWARGCYLSUAA2FMBCMFQWFIAEUKYCEYLP4CIAAD7ASAIAN4QAAAAKFIAC4KYCEYLAAKBBAAAAUKSOFMBCMFQA7YEQAAH6BEAQAKBCAAAAUKSGFMBCMFRLAITBMARIB4AAACQAAAVAAAATGABQBNAAAAAAQAA
            Source: 2.2.IMG_210000355530014_AN6714.exe.f50000.1.unpack, ??O?zBOv?/??XYz?V?ty.csBase64 encoded string: 'JVNJAAADAAAAABAAAAAP77YAAC4AAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAOD65A4AFUBHGSDOABJTGSCVDINFZSA4DSN5TXEYLNEBRWC3TON52CAYTFEBZHK3RANFXCARCPKMQG233EMUXA2DIKEQAAAAAAAAAAAUCFAAAEYAIDADYA5IHYAAAAAAAAAAAABYAABYQQWAIGAAABUAAAAADAAAAAAAAABHRYAAAAAIAAAAAEAAAAAAAEAAAAEAAAAAACAAAAIAAAAAAAAAAAAQAAAAAAAAAAAAEAAAAAAAQAAAAAAAAAAMAEBBIAAAIAAAAQAAAAAAAQAAABAAAAAAAAAAAQAAAAAAAAAAAAAAAAABIDQAAAJMAAAAAAIAAABRADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAAAAYAAAAACDQAAADQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAACAAAAAAAAAAAAAAAAAABAQAAACIAAAAAAAAAAAAAAAAAAXHIZLYOQAAAAFEDAAAAABAAAAAAGQAAAAAEAAAAAAAAAAAAAAAAAAAAAACAAAAMAXHE43SMMAAAAGEAMAAAACAAAAAABAAAAABYAAAAAAAAAAAAAAAAAAAAAAEAAAAIAXHEZLMN5RQAAAMAAAAAADAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAAAAAEAAAAIIAAAAAAAAAAAAAAAAAAAAAAAAAIAOAAAAAAAAAAJAAAAAACAACQBABGAAAMYEAAAAAQAAAAAAAAAACMG4AABOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEMKYCEYLCWARGCYBCQDYAAAFAAABKAAABGMAEAATQAAAAAEAAAEJLAITBMAD6AEAAABD6AIAAABD6AMAAABBIAYAAABQAOIAQAADQBI4AAAAAAADCUAATGABAADQAAAAAEAAACEVQEJQWAAKAUOAAAAAAABRKAAAFMKYCEYLAAAYWTIBRPGQDDCNCQBQAAADAAKQAABVCWARGCYVQEJQWAIUA6AAABIAAAAYEAUUAMAAAAYACUAATGACABIYAAAAAGAAACEVQEJQWCYUAWAAAAY4YQAAAAATCABAAAAADQSAAAAACQEAAAAFAOKANAAAAM3YRAAAAUFUMAMAAAAIUN4JAAAAKEYQAKAAAAALTUIAAAAACMBRIA4AAABQDFAEAAAAGBM4ML77774QAIAAAAD7A4AQA7YGAEACFAYAAAAAKAAAAAEYAAAAJX77777CP7777BIAAAABDAAAAAIACAAAAAOGZ77776AACAQUASAAAAYFDRLH7777SMIADAAAAAOGA77776KQACMYAMAB4AEAAABAAAAISWARGCYQACAAAAA4KQAAAAABG6EYAAAFBGBQSAYUBIAAABIFSABQAAAADRDQAAAAAAFQKEACQAAAAHCAQAAAAA4DVUGS2BQEI2FQAAAAQ2FQTA44EYAAAAAABMEYIHAXAAAAAAABBCBYRBBXRKAAABIJQSEQJFALAAAAKFALQAAAKCYEQMGRIDAAAACQAAYNFQCQACEEBOWATBAIQQB76AQJQUEIKHLCP7777AAIQOF2YCMDRCBYH7YCBGCYRBM5KN777744DEAAAAAQACAAAAD7A4DIA7YGA2ACFBAAAAABJAAAAATP7777RUAAAAAUQAAAAJEAAAABT77776WX7777VSAAAAAUAYAAAAYUAWAAAAY4T6AAAAATCAAAAAAADRQP7777QAEIFCMGCABYAAAADRMX7777QSFRIDEAAACQTAQIQJDIWAAAACEYFBENBCBIWCECY42JIDAAAACRYZT7777ZGEABAAAAAHCBP7777HAAAAAAACEGCUEZQAYABKAIAAACQAAARFMBCMFRAAAAAAABYMMAAAAAACYFCABIAAAABMOKVAAAAAJRIBYAAABQDN4NAAAAKBMBAFDTJC7NJCH3QMEGAFDTJC7LI2FQAAAAQ2FRIBMAAABRZJUAAAABGEAAQAAAAHAOAAAAAAKHGSF62CMCBMEYFHAXAAAAAEAAAAAAA7YHAQAH6BQEAARIHAAAAA7H77774H77777B77777AAAAAAAQAAAABC77777XWAAAAA4AWAAAAATCABAAAAADRT77777TQLYAAAAAACIRAUBBCBMRBBQQOBURMG2JYBQDN4NQAAAKC7NEABQAAAABMOADAAAAABQX2YFAAEIFC7LBGBIRAUIQJ7QCC37ACEYGCEDDVP77777QSAUONEMNUF6WRULAAAABFAHQAAAGOQAQAAA3BUERGBZAAYAAAABYMT7777ZYAAAAAAARA4VAAAAACMYAGABPAAAAABQAAAISWARGCYAAG4QDAAAHAKA4AAAAUKA5AAAAU4Y6AAAAUCQGAJXR6AAABJ2BKAAAAEFTQAAAAAAAOKQACMYAGAFEAAAAABYAAAISWARGCYVQEJQWFAGAAAAGFAFQAAAGHGAQAAAAEYQAIAAAAAUAYAAAAY5DWAAAAA4DMAAAABZACAAAOCAAGAAAAQQAKAAAAAUAYAAAAY4R2AAAAATHEAIAABYIAAQAAACDRV77777SABAAAAAP4DQAAD7AYAAAIUDAAAAABIAAAAAUAAAABLP77774P77774FAAAAAEQAAAABAAIAAAABY3H77773SAEAAA4EAAEAAABBYV37777ZGEABQAAAAHC777777FINCWARGCYLSUAA2FMBCMFQWFIAEUKYCEYLP4CIAAD7ASAIAN4QAAAAKFIAC4KYCEYLAAKBBAAAAUKSOFMBCMFQA7YEQAAH6BEAQAKBCAAAAUKSGFMBCMFRLAITBMARIB4AAACQAAAVAAAATGABQBNAAAAAAQAA
            Source: 2.0.IMG_210000355530014_AN6714.exe.f50000.0.unpack, ??O?zBOv?/??XYz?V?ty.csBase64 encoded string: 'JVNJAAADAAAAABAAAAAP77YAAC4AAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAOD65A4AFUBHGSDOABJTGSCVDINFZSA4DSN5TXEYLNEBRWC3TON52CAYTFEBZHK3RANFXCARCPKMQG233EMUXA2DIKEQAAAAAAAAAAAUCFAAAEYAIDADYA5IHYAAAAAAAAAAAABYAABYQQWAIGAAABUAAAAADAAAAAAAAABHRYAAAAAIAAAAAEAAAAAAAEAAAAEAAAAAACAAAAIAAAAAAAAAAAAQAAAAAAAAAAAAEAAAAAAAQAAAAAAAAAAMAEBBIAAAIAAAAQAAAAAAAQAAABAAAAAAAAAAAQAAAAAAAAAAAAAAAAABIDQAAAJMAAAAAAIAAABRADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAAAAYAAAAACDQAAADQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAACAAAAAAAAAAAAAAAAAABAQAAACIAAAAAAAAAAAAAAAAAAXHIZLYOQAAAAFEDAAAAABAAAAAAGQAAAAAEAAAAAAAAAAAAAAAAAAAAAACAAAAMAXHE43SMMAAAAGEAMAAAACAAAAAABAAAAABYAAAAAAAAAAAAAAAAAAAAAAEAAAAIAXHEZLMN5RQAAAMAAAAAADAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAAAAAEAAAAIIAAAAAAAAAAAAAAAAAAAAAAAAAIAOAAAAAAAAAAJAAAAAACAACQBABGAAAMYEAAAAAQAAAAAAAAAACMG4AABOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEMKYCEYLCWARGCYBCQDYAAAFAAABKAAABGMAEAATQAAAAAEAAAEJLAITBMAD6AEAAABD6AIAAABD6AMAAABBIAYAAABQAOIAQAADQBI4AAAAAAADCUAATGABAADQAAAAAEAAACEVQEJQWAAKAUOAAAAAAABRKAAAFMKYCEYLAAAYWTIBRPGQDDCNCQBQAAADAAKQAABVCWARGCYVQEJQWAIUA6AAABIAAAAYEAUUAMAAAAYACUAATGACABIYAAAAAGAAACEVQEJQWCYUAWAAAAY4YQAAAAATCABAAAAADQSAAAAACQEAAAAFAOKANAAAAM3YRAAAAUFUMAMAAAAIUN4JAAAAKEYQAKAAAAALTUIAAAAACMBRIA4AAABQDFAEAAAAGBM4ML77774QAIAAAAD7A4AQA7YGAEACFAYAAAAAKAAAAAEYAAAAJX77777CP7777BIAAAABDAAAAAIACAAAAAOGZ77776AACAQUASAAAAYFDRLH7777SMIADAAAAAOGA77776KQACMYAMAB4AEAAABAAAAISWARGCYQACAAAAA4KQAAAAABG6EYAAAFBGBQSAYUBIAAABIFSABQAAAADRDQAAAAAAFQKEACQAAAAHCAQAAAAA4DVUGS2BQEI2FQAAAAQ2FQTA44EYAAAAAABMEYIHAXAAAAAAABBCBYRBBXRKAAABIJQSEQJFALAAAAKFALQAAAKCYEQMGRIDAAAACQAAYNFQCQACEEBOWATBAIQQB76AQJQUEIKHLCP7777AAIQOF2YCMDRCBYH7YCBGCYRBM5KN777744DEAAAAAQACAAAAD7A4DIA7YGA2ACFBAAAAABJAAAAATP7777RUAAAAAUQAAAAJEAAAABT77776WX7777VSAAAAAUAYAAAAYUAWAAAAY4T6AAAAATCAAAAAAADRQP7777QAEIFCMGCABYAAAADRMX7777QSFRIDEAAACQTAQIQJDIWAAAACEYFBENBCBIWCECY42JIDAAAACRYZT7777ZGEABAAAAAHCBP7777HAAAAAAACEGCUEZQAYABKAIAAACQAAARFMBCMFRAAAAAAABYMMAAAAAACYFCABIAAAABMOKVAAAAAJRIBYAAABQDN4NAAAAKBMBAFDTJC7NJCH3QMEGAFDTJC7LI2FQAAAAQ2FRIBMAAABRZJUAAAABGEAAQAAAAHAOAAAAAAKHGSF62CMCBMEYFHAXAAAAAEAAAAAAA7YHAQAH6BQEAARIHAAAAA7H77774H77777B77777AAAAAAAQAAAABC77777XWAAAAA4AWAAAAATCABAAAAADRT77777TQLYAAAAAACIRAUBBCBMRBBQQOBURMG2JYBQDN4NQAAAKC7NEABQAAAABMOADAAAAABQX2YFAAEIFC7LBGBIRAUIQJ7QCC37ACEYGCEDDVP77777QSAUONEMNUF6WRULAAAABFAHQAAAGOQAQAAA3BUERGBZAAYAAAABYMT7777ZYAAAAAAARA4VAAAAACMYAGABPAAAAABQAAAISWARGCYAAG4QDAAAHAKA4AAAAUKA5AAAAU4Y6AAAAUCQGAJXR6AAABJ2BKAAAAEFTQAAAAAAAOKQACMYAGAFEAAAAABYAAAISWARGCYVQEJQWFAGAAAAGFAFQAAAGHGAQAAAAEYQAIAAAAAUAYAAAAY5DWAAAAA4DMAAAABZACAAAOCAAGAAAAQQAKAAAAAUAYAAAAY4R2AAAAATHEAIAABYIAAQAAACDRV77777SABAAAAAP4DQAAD7AYAAAIUDAAAAABIAAAAAUAAAABLP77774P77774FAAAAAEQAAAABAAIAAAABY3H77773SAEAAA4EAAEAAABBYV37777ZGEABQAAAAHC777777FINCWARGCYLSUAA2FMBCMFQWFIAEUKYCEYLP4CIAAD7ASAIAN4QAAAAKFIAC4KYCEYLAAKBBAAAAUKSOFMBCMFQA7YEQAAH6BEAQAKBCAAAAUKSGFMBCMFRLAITBMARIB4AAACQAAAVAAAATGABQBNAAAAAAQAA
            Source: classification engineClassification label: mal84.troj.spyw.evad.winEXE@5/1@0/0
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IMG_210000355530014_AN6714.exe.logJump to behavior
            Source: IMG_210000355530014_AN6714.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: IMG_210000355530014_AN6714.exeVirustotal: Detection: 27%
            Source: unknownProcess created: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe 'C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe'
            Source: unknownProcess created: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe
            Source: unknownProcess created: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess created: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess created: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: IMG_210000355530014_AN6714.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: IMG_210000355530014_AN6714.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: PythagoreanModules.pdb source: IMG_210000355530014_AN6714.exe, 00000000.00000002.795619522.00000000026C5000.00000004.00000001.sdmp
            Source: Binary string: PythagoreanModules.pdbx8 source: IMG_210000355530014_AN6714.exe, 00000000.00000002.795619522.00000000026C5000.00000004.00000001.sdmp

            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeCode function: 0_2_0248AAC0 pushfd ; retf 0_2_0248AAC1
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeCode function: 2_2_0180C9A7 push edi; retn 0000h2_2_0180C9A9
            Source: initial sampleStatic PE information: section name: .text entropy: 7.71686033651

            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeWindow / User API: threadDelayed 673Jump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 2608Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 4368Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -4611686018427385s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 5012Thread sleep count: 223 > 30Jump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 5012Thread sleep count: 673 > 30Jump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -59812s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -59500s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -59312s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -58812s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -58000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -56812s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -56406s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -55030s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -54812s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -53718s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -53312s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -52406s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -77718s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -76968s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -51124s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -50906s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -50000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -74577s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -49500s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -73968s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -48812s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -48624s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -47906s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -47718s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -47218s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -46812s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -46312s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -45406s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -45000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -44812s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -44500s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -44312s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -43906s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -43624s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -43406s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -43218s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -42500s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -42312s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -40906s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -40718s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -40218s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -40000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -59718s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -39500s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -58968s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -39124s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -38906s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -38406s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -38218s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -38000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -37718s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -37530s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -37312s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -37030s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -36812s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -36624s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -35718s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -35406s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -34500s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -34312s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -34030s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -33406s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -49359s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -32718s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -58406s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -57500s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -52186s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -52000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -51500s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -50406s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -48406s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -42094s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -41406s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -35906s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -32406s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -32218s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -31312s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe TID: 1184Thread sleep time: -30406s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess information queried: ProcessInformationJump to behavior

            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeMemory allocated: page read and write | page guardJump to behavior

            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess created: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeProcess created: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeJump to behavior
            Source: IMG_210000355530014_AN6714.exe, 00000002.00000002.1199696153.0000000001DF0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: IMG_210000355530014_AN6714.exe, 00000002.00000002.1199696153.0000000001DF0000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: IMG_210000355530014_AN6714.exe, 00000002.00000002.1199696153.0000000001DF0000.00000002.00000001.sdmpBinary or memory string: hProgram ManagerWE
            Source: IMG_210000355530014_AN6714.exe, 00000002.00000002.1199696153.0000000001DF0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information:

            barindex
            Yara detected AgentTeslaShow sources
            Source: Yara matchFile source: 00000002.00000002.1197400279.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1202254348.0000000003558000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.796383250.0000000003699000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: IMG_210000355530014_AN6714.exe PID: 3636, type: MEMORY
            Source: Yara matchFile source: 2.2.IMG_210000355530014_AN6714.exe.400000.0.unpack, type: UNPACKEDPE
            Tries to harvest and steal browser information (history, passwords, etc)Show sources
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Tries to steal Mail credentials (via file access)Show sources
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
            Source: C:\Users\user\Desktop\IMG_210000355530014_AN6714.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior

            Remote Access Functionality:

            barindex
            Yara detected AgentTeslaShow sources
            Source: Yara matchFile source: 00000002.00000002.1197400279.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1202254348.0000000003558000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.796383250.0000000003699000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: IMG_210000355530014_AN6714.exe PID: 3636, type: MEMORY
            Source: Yara matchFile source: 2.2.IMG_210000355530014_AN6714.exe.400000.0.unpack, type: UNPACKEDPE

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation211Winlogon Helper DLLProcess Injection12Masquerading1Credential Dumping1Virtualization/Sandbox Evasion13Application Deployment SoftwareEmail Collection1Data Encrypted1Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesSoftware Packing3Network SniffingProcess Discovery2Remote ServicesData from Local System1Exfiltration Over Other Network MediumFallback ChannelsExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionDisabling Security Tools1Input CaptureApplication Window Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingVirtualization/Sandbox Evasion13Credentials in FilesSecurity Software Discovery11Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
            Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessProcess Injection12Account ManipulationFile and Directory Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceObfuscated Files or Information21Brute ForceSystem Information Discovery114Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.