Loading ...

Play interactive tourEdit tour

Analysis Report DOC09242020.exe

Overview

General Information

Sample Name:DOC09242020.exe
Analysis ID:289575
MD5:97be7c8bf0426378a5b2c5b5c4bdbcc9
SHA1:fb19e51a5de125636c43602a0f14917f37478411
SHA256:55ee4e94de776d7e7748e9a321055cc59d0f0274b2b81bfae0f1f020a65ab33f
Tags:AgentTesla

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
.NET source code contains potential unpacker
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses FTP
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • DOC09242020.exe (PID: 1428 cmdline: 'C:\Users\user\Desktop\DOC09242020.exe' MD5: 97BE7C8BF0426378A5B2C5B5C4BDBCC9)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.449184380.0000000004CE4000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.463637558.000000000CF30000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.447658748.00000000034B6000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.447658748.00000000034B6000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: DOC09242020.exe PID: 1428JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.DOC09242020.exe.cf30000.9.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.DOC09242020.exe.cf30000.9.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                Sigma Overview

                No Sigma rule has matched

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Multi AV Scanner detection for submitted fileShow sources
                Source: DOC09242020.exeVirustotal: Detection: 30%Perma Link
                Source: DOC09242020.exeReversingLabs: Detection: 37%
                Machine Learning detection for sampleShow sources
                Source: DOC09242020.exeJoe Sandbox ML: detected

                Networking:

                barindex
                Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                Source: TrafficSnort IDS: 553 POLICY FTP anonymous login attempt 192.168.2.6:49751 -> 65.52.145.87:21
                Source: TrafficSnort IDS: 2029927 ET TROJAN AgentTesla Exfil via FTP 192.168.2.6:49751 -> 65.52.145.87:21
                Source: TrafficSnort IDS: 2029928 ET TROJAN AgentTesla HTML System Info Report Exfil via FTP 192.168.2.6:49752 -> 65.52.145.87:52339
                Source: global trafficTCP traffic: 192.168.2.6:49752 -> 65.52.145.87:52339
                Source: Joe Sandbox ViewIP Address: 65.52.145.87 65.52.145.87
                Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
                Source: unknownFTP traffic detected: 65.52.145.87:21 -> 192.168.2.6:49751 220 ProFTPD Server (ProFTPD Default Installation) [65.52.145.87]
                Source: unknownDNS traffic detected: queries for: ftp.dveshop.ro
                Source: DOC09242020.exe, 00000000.00000002.463369321.000000000CB42000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                Source: DOC09242020.exe, 00000000.00000002.448170266.00000000035C2000.00000004.00000001.sdmpString found in binary or memory: http://ftp.dveshop.ro
                Source: DOC09242020.exe, 00000000.00000002.448089920.00000000035AE000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: DOC09242020.exe, 00000000.00000002.463369321.000000000CB42000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: DOC09242020.exe, 00000000.00000003.180872251.000000000B960000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                Source: DOC09242020.exe, 00000000.00000002.463369321.000000000CB42000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: DOC09242020.exe, 00000000.00000002.463369321.000000000CB42000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: DOC09242020.exe, 00000000.00000002.463369321.000000000CB42000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: DOC09242020.exe, 00000000.00000002.463369321.000000000CB42000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: DOC09242020.exe, 00000000.00000002.463369321.000000000CB42000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: DOC09242020.exe, 00000000.00000002.463369321.000000000CB42000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: DOC09242020.exe, 00000000.00000003.184382361.000000000B96D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlM8
                Source: DOC09242020.exe, 00000000.00000002.463369321.000000000CB42000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: DOC09242020.exe, 00000000.00000002.463369321.000000000CB42000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: DOC09242020.exe, 00000000.00000002.463369321.000000000CB42000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: DOC09242020.exe, 00000000.00000003.186025518.000000000B961000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com=
                Source: DOC09242020.exe, 00000000.00000003.184156060.000000000B961000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
                Source: DOC09242020.exe, 00000000.00000003.186025518.000000000B961000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFM%
                Source: DOC09242020.exe, 00000000.00000003.193211505.000000000B961000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
                Source: DOC09242020.exe, 00000000.00000003.185516185.000000000B961000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsFM%
                Source: DOC09242020.exe, 00000000.00000003.187315727.000000000B961000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsdT%
                Source: DOC09242020.exe, 00000000.00000003.187315727.000000000B961000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
                Source: DOC09242020.exe, 00000000.00000003.184724825.000000000B961000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd&%
                Source: DOC09242020.exe, 00000000.00000003.184724825.000000000B961000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed
                Source: DOC09242020.exe, 00000000.00000003.183748958.000000000B961000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessedT%
                Source: DOC09242020.exe, 00000000.00000003.193211505.000000000B961000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comionoT%
                Source: DOC09242020.exe, 00000000.00000003.183389117.000000000B960000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comitu
                Source: DOC09242020.exe, 00000000.00000003.186025518.000000000B961000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comlicF
                Source: DOC09242020.exe, 00000000.00000003.187315727.000000000B961000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comp%
                Source: DOC09242020.exe, 00000000.00000003.187315727.000000000B961000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsief
                Source: DOC09242020.exe, 00000000.00000003.184724825.000000000B961000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comtoep%
                Source: DOC09242020.exe, 00000000.00000003.193422132.000000000B95E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comueto
                Source: DOC09242020.exe, 00000000.00000003.183452047.000000000B960000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comv
                Source: DOC09242020.exe, 00000000.00000002.463369321.000000000CB42000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                Source: DOC09242020.exe, 00000000.00000002.463369321.000000000CB42000.00000004.00000001.sdmp, DOC09242020.exe, 00000000.00000003.179610187.000000000B95D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: DOC09242020.exe, 00000000.00000002.463369321.000000000CB42000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: DOC09242020.exe, 00000000.00000002.463369321.000000000CB42000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: DOC09242020.exe, 00000000.00000003.179610187.000000000B95D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnicr
                Source: DOC09242020.exe, 00000000.00000003.188473937.000000000B961000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                Source: DOC09242020.exe, 00000000.00000003.188473937.000000000B961000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/&%
                Source: DOC09242020.exe, 00000000.00000002.463369321.000000000CB42000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: DOC09242020.exe, 00000000.00000002.463369321.000000000CB42000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: DOC09242020.exe, 00000000.00000002.463369321.000000000CB42000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: DOC09242020.exe, 00000000.00000003.181529131.000000000B960000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: DOC09242020.exe, 00000000.00000003.180342368.000000000B95C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-cz
                Source: DOC09242020.exe, 00000000.00000003.180426373.000000000B95C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/8%
                Source: DOC09242020.exe, 00000000.00000003.180822635.000000000B960000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/=
                Source: DOC09242020.exe, 00000000.00000003.180459969.000000000B95C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/B%
                Source: DOC09242020.exe, 00000000.00000003.181109782.000000000B960000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/M%
                Source: DOC09242020.exe, 00000000.00000003.180426373.000000000B95C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Sue
                Source: DOC09242020.exe, 00000000.00000003.181529131.000000000B960000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/T%
                Source: DOC09242020.exe, 00000000.00000003.180426373.000000000B95C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
                Source: DOC09242020.exe, 00000000.00000003.180591444.000000000B960000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/b
                Source: DOC09242020.exe, 00000000.00000003.180563245.000000000B960000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ers
                Source: DOC09242020.exe, 00000000.00000003.180822635.000000000B960000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/i%
                Source: DOC09242020.exe, 00000000.00000003.181529131.000000000B960000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                Source: DOC09242020.exe, 00000000.00000003.180563245.000000000B960000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/8%
                Source: DOC09242020.exe, 00000000.00000003.180563245.000000000B960000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/B%
                Source: DOC09242020.exe, 00000000.00000003.180563245.000000000B960000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/p%
                Source: DOC09242020.exe, 00000000.00000003.180396359.000000000B95C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/p
                Source: DOC09242020.exe, 00000000.00000003.180459969.000000000B95C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/p%
                Source: DOC09242020.exe, 00000000.00000003.181109782.000000000B960000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/r
                Source: DOC09242020.exe, 00000000.00000003.181109782.000000000B960000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/roso1%
                Source: DOC09242020.exe, 00000000.00000002.463369321.000000000CB42000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: DOC09242020.exe, 00000000.00000002.463369321.000000000CB42000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                Source: DOC09242020.exe, 00000000.00000002.463369321.000000000CB42000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: DOC09242020.exe, 00000000.00000002.463369321.000000000CB42000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                Source: DOC09242020.exe, 00000000.00000002.463369321.000000000CB42000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                Source: DOC09242020.exe, 00000000.00000003.187156157.000000000B93C000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                Source: DOC09242020.exe, 00000000.00000002.463369321.000000000CB42000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: DOC09242020.exe, 00000000.00000003.187156157.000000000B93C000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.decom
                Source: DOC09242020.exe, 00000000.00000002.463369321.000000000CB42000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: DOC09242020.exe, 00000000.00000002.447658748.00000000034B6000.00000004.00000001.sdmpString found in binary or memory: https://2FtMTFbJdH.org
                Source: C:\Users\user\Desktop\DOC09242020.exeCode function: 0_2_016146780_2_01614678
                Source: C:\Users\user\Desktop\DOC09242020.exeCode function: 0_2_0161558C0_2_0161558C
                Source: C:\Users\user\Desktop\DOC09242020.exeCode function: 0_2_016146390_2_01614639
                Source: C:\Users\user\Desktop\DOC09242020.exeCode function: 0_2_016148F80_2_016148F8
                Source: C:\Users\user\Desktop\DOC09242020.exeCode function: 0_2_05C02F200_2_05C02F20
                Source: C:\Users\user\Desktop\DOC09242020.exeCode function: 0_2_05C0BE900_2_05C0BE90
                Source: C:\Users\user\Desktop\DOC09242020.exeCode function: 0_2_05C028E80_2_05C028E8
                Source: C:\Users\user\Desktop\DOC09242020.exeCode function: 0_2_05C0E7480_2_05C0E748
                Source: C:\Users\user\Desktop\DOC09242020.exeCode function: 0_2_05C0C74C0_2_05C0C74C
                Source: C:\Users\user\Desktop\DOC09242020.exeCode function: 0_2_05C0E7380_2_05C0E738
                Source: C:\Users\user\Desktop\DOC09242020.exeCode function: 0_2_05C0BE860_2_05C0BE86
                Source: C:\Users\user\Desktop\DOC09242020.exeCode function: 0_2_05C0E0A80_2_05C0E0A8
                Source: C:\Users\user\Desktop\DOC09242020.exeCode function: 0_2_05C082F80_2_05C082F8
                Source: C:\Users\user\Desktop\DOC09242020.exeCode function: 0_2_05C2F7280_2_05C2F728
                Source: C:\Users\user\Desktop\DOC09242020.exeCode function: 0_2_05C2FAEA0_2_05C2FAEA
                Source: C:\Users\user\Desktop\DOC09242020.exeCode function: 0_2_05C2F7170_2_05C2F717
                Source: DOC09242020.exe, 00000000.00000002.449184380.0000000004CE4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIUnJfNFwJmTddRWavOsBpwjcsVqZIGlN.exe4 vs DOC09242020.exe
                Source: DOC09242020.exe, 00000000.00000002.452590310.0000000005FD0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs DOC09242020.exe
                Source: DOC09242020.exe, 00000000.00000000.176773941.0000000000FEC000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameLime_RICA33.exeD vs DOC09242020.exe
                Source: DOC09242020.exe, 00000000.00000002.451574703.0000000005A00000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs DOC09242020.exe
                Source: DOC09242020.exe, 00000000.00000002.445826205.000000000162A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs DOC09242020.exe
                Source: DOC09242020.exe, 00000000.00000002.448522821.0000000004C25000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAdovufq.dll4 vs DOC09242020.exe
                Source: DOC09242020.exe, 00000000.00000002.452274907.0000000005C10000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs DOC09242020.exe
                Source: DOC09242020.exeBinary or memory string: OriginalFilenameLime_RICA33.exeD vs DOC09242020.exe
                Source: DOC09242020.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@2/1
                Source: DOC09242020.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\DOC09242020.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\DOC09242020.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\DOC09242020.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: DOC09242020.exeVirustotal: Detection: 30%
                Source: DOC09242020.exeReversingLabs: Detection: 37%
                Source: C:\Users\user\Desktop\DOC09242020.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: DOC09242020.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: DOC09242020.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                Data Obfuscation:

                barindex
                .NET source code contains potential unpackerShow sources
                Source: DOC09242020.exe, EYNXGAjLKPPFhoYNbOthBvhjuCol.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.2.DOC09242020.exe.fa0000.0.unpack, EYNXGAjLKPPFhoYNbOthBvhjuCol.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.0.DOC09242020.exe.fa0000.0.unpack, EYNXGAjLKPPFhoYNbOthBvhjuCol.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: C:\Users\user\Desktop\DOC09242020.exeCode function: 0_2_00FDAFF6 push es; retf 0_2_00FDAFF9
                Source: C:\Users\user\Desktop\DOC09242020.exeCode function: 0_2_00FDCCC4 pushfd ; retf 0_2_00FDCCFD
                Source: C:\Users\user\Desktop\DOC09242020.exeCode function: 0_2_05C0DDF5 push B60BC769h; ret 0_2_05C0DE00
                Source: C:\Users\user\Desktop\DOC09242020.exeCode function: 0_2_05C08747 push edi; retn 0000h0_2_05C08749
                Source: C:\Users\user\Desktop\DOC09242020.exeCode function: 0_2_05C0BE00 push edi; retf 0_2_05C0BE03
                Source: C:\Users\user\Desktop\DOC09242020.exeCode function: 0_2_05C06398 push esp; iretd 0_2_05C06399
                Source: C:\Users\user\Desktop\DOC09242020.exeCode function: 0_2_05C0925B push 8B56h; retf 0_2_05C09260
                Source: initial sampleStatic PE information: section name: .text entropy: 7.6725520322
                Source: C:\Users\user\Desktop\DOC09242020.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion:

                barindex
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                Source: C:\Users\user\Desktop\DOC09242020.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                Source: C:\Users\user\Desktop\DOC09242020.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                Source: DOC09242020.exe, 00000000.00000002.447558543.0000000003421000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                Source: C:\Users\user\Desktop\DOC09242020.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeWindow / User API: threadDelayed 584Jump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exe TID: 1560Thread sleep time: -109000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exe TID: 1404Thread sleep time: -37000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exe TID: 5888Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exe TID: 5888Thread sleep time: -59500s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exe TID: 5888Thread sleep time: -59312s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exe TID: 5888Thread sleep time: -58406s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exe TID: 5888Thread sleep time: -56718s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exe TID: 5888Thread sleep time: -56500s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exe TID: 5888Thread sleep time: -83109s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exe TID: 5888Thread sleep time: -54312s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exe TID: 5888Thread sleep time: -53812s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exe TID: 5888Thread sleep time: -53218s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exe TID: 5888Thread sleep time: -53000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exe TID: 5888Thread sleep time: -52718s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exe TID: 5888Thread sleep time: -52500s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exe TID: 5888Thread sleep time: -51906s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exe TID: 5888Thread sleep time: -51406s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exe TID: 5888Thread sleep time: -50812s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exe TID: 5888Thread sleep time: -50312s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exe TID: 5888Thread sleep time: -50124s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exe TID: 5888Thread sleep time: -49718s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exe TID: 5888Thread sleep time: -49500s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exe TID: 5888Thread sleep time: -48312s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exe TID: 5888Thread sleep time: -47218s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exe TID: 5888Thread sleep time: -46406s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exe TID: 5888Thread sleep time: -46124s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exe TID: 5888Thread sleep time: -68577s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exe TID: 5888Thread sleep time: -45500s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exe TID: 5888Thread sleep time: -45218s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exe TID: 5888Thread sleep time: -44812s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exe TID: 5888Thread sleep time: -43718s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exe TID: 5888Thread sleep time: -43500s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exe TID: 5888Thread sleep time: -41718s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exe TID: 5888Thread sleep time: -38500s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exe TID: 5888Thread sleep time: -37406s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exe TID: 5888Thread sleep time: -60000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exe TID: 5888Thread sleep time: -55718s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exe TID: 5888Thread sleep time: -55000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exe TID: 5888Thread sleep time: -54812s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exe TID: 5888Thread sleep time: -48906s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exe TID: 5888Thread sleep time: -48718s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exe TID: 5888Thread sleep time: -47812s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exe TID: 5888Thread sleep time: -47594s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exe TID: 5888Thread sleep time: -46718s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\DOC09242020.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: DOC09242020.exe, 00000000.00000002.451574703.0000000005A00000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: DOC09242020.exe, 00000000.00000002.447558543.0000000003421000.00000004.00000001.sdmpBinary or memory string: vmware
                Source: DOC09242020.exe, 00000000.00000002.451574703.0000000005A00000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: DOC09242020.exe, 00000000.00000002.451574703.0000000005A00000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: DOC09242020.exe, 00000000.00000002.451976775.0000000005AF0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: DOC09242020.exe, 00000000.00000002.451574703.0000000005A00000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeCode function: 0_2_05C0BE90 LdrInitializeThunk,0_2_05C0BE90
                Source: C:\Users\user\Desktop\DOC09242020.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeMemory allocated: page read and write | page guardJump to behavior
                Source: DOC09242020.exe, 00000000.00000002.447005053.0000000001E20000.00000002.00000001.sdmpBinary or memory string: Program Manager
                Source: DOC09242020.exe, 00000000.00000002.447005053.0000000001E20000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: DOC09242020.exe, 00000000.00000002.447005053.0000000001E20000.00000002.00000001.sdmpBinary or memory string: Progman
                Source: DOC09242020.exe, 00000000.00000002.447005053.0000000001E20000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Users\user\Desktop\DOC09242020.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DOC09242020.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation