Loading ...

Play interactive tourEdit tour

Analysis Report .exe

Overview

General Information

Sample Name: .exe
Analysis ID:321141
MD5:4c0960a22153523b2626bff364cc7073
SHA1:8596c7561f3668d544ee5cf24ac19c1c9db6c616
SHA256:c9442156b26b8fe68a84028f85861191bff85680b1460d26b9491cbc3f3ac230
Tags:exe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension
Yara detected AgentTesla
Yara detected AntiVM_3
Contains functionality to register a low level keyboard hook
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Startup

  • System is w10x64
  • .exe (PID: 6444 cmdline: 'C:\Users\user\Desktop\ .exe' MD5: 4C0960A22153523B2626BFF364CC7073)
    • schtasks.exe (PID: 6604 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\apQsEpT' /XML 'C:\Users\user\AppData\Local\Temp\tmp88EB.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • .exe (PID: 6752 cmdline: {path} MD5: 4C0960A22153523B2626BFF364CC7073)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "LG3xhtQljnZve", "URL: ": "http://dIhLHGXisr.net", "To: ": "supervisor@persec.gr", "ByHost: ": "mail.persec.gr:587", "Password: ": "g71iC6Xh1Q24qt", "From: ": "supervisor@persec.gr"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
.exeMAL_RANSOM_COVID19_Apr20_1Detects ransomware distributed in COVID-19 themeFlorian Roth
  • 0x74117:$op2: 60 2E 2E 2E AF 34 34 34 B8 34 34 34 B8 34 34 34
  • 0x73a9f:$op3: 1F 07 1A 37 85 05 05 36 83 05 05 36 83 05 05 34

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\apQsEpT.exeMAL_RANSOM_COVID19_Apr20_1Detects ransomware distributed in COVID-19 themeFlorian Roth
  • 0x74117:$op2: 60 2E 2E 2E AF 34 34 34 B8 34 34 34 B8 34 34 34
  • 0x73a9f:$op3: 1F 07 1A 37 85 05 05 36 83 05 05 36 83 05 05 34

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.475265979.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.228870931.00000000038F5000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.227599432.000000000289E000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2. .exe.510000.1.unpackMAL_RANSOM_COVID19_Apr20_1Detects ransomware distributed in COVID-19 themeFlorian Roth
            • 0x74117:$op2: 60 2E 2E 2E AF 34 34 34 B8 34 34 34 B8 34 34 34
            • 0x73a9f:$op3: 1F 07 1A 37 85 05 05 36 83 05 05 36 83 05 05 34
            4.0. .exe.510000.0.unpackMAL_RANSOM_COVID19_Apr20_1Detects ransomware distributed in COVID-19 themeFlorian Roth
            • 0x74117:$op2: 60 2E 2E 2E AF 34 34 34 B8 34 34 34 B8 34 34 34
            • 0x73a9f:$op3: 1F 07 1A 37 85 05 05 36 83 05 05 36 83 05 05 34
            0.0. .exe.320000.0.unpackMAL_RANSOM_COVID19_Apr20_1Detects ransomware distributed in COVID-19 themeFlorian Roth
            • 0x74117:$op2: 60 2E 2E 2E AF 34 34 34 B8 34 34 34 B8 34 34 34
            • 0x73a9f:$op3: 1F 07 1A 37 85 05 05 36 83 05 05 36 83 05 05 34
            4.2. .exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2. .exe.320000.0.unpackMAL_RANSOM_COVID19_Apr20_1Detects ransomware distributed in COVID-19 themeFlorian Roth
              • 0x74117:$op2: 60 2E 2E 2E AF 34 34 34 B8 34 34 34 B8 34 34 34
              • 0x73a9f:$op3: 1F 07 1A 37 85 05 05 36 83 05 05 36 83 05 05 34

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Scheduled temp file as task from temp locationShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\apQsEpT' /XML 'C:\Users\user\AppData\Local\Temp\tmp88EB.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\apQsEpT' /XML 'C:\Users\user\AppData\Local\Temp\tmp88EB.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\ .exe' , ParentImage: C:\Users\user\Desktop\ .exe, ParentProcessId: 6444, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\apQsEpT' /XML 'C:\Users\user\AppData\Local\Temp\tmp88EB.tmp', ProcessId: 6604
              Sigma detected: Suspicious Double ExtensionShow sources
              Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: {path}, CommandLine: {path}, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\ .exe, NewProcessName: C:\Users\user\Desktop\ .exe, OriginalFileName: C:\Users\user\Desktop\ .exe, ParentCommandLine: 'C:\Users\user\Desktop\ .exe' , ParentImage: C:\Users\user\Desktop\ .exe, ParentProcessId: 6444, ProcessCommandLine: {path}, ProcessId: 6752

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: .exeAvira: detected
              Antivirus detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\apQsEpT.exeAvira: detection malicious, Label: TR/Kryptik.uduze
              Found malware configurationShow sources
              Source: .exe.6752.4.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "LG3xhtQljnZve", "URL: ": "http://dIhLHGXisr.net", "To: ": "supervisor@persec.gr", "ByHost: ": "mail.persec.gr:587", "Password: ": "g71iC6Xh1Q24qt", "From: ": "supervisor@persec.gr"}
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\apQsEpT.exeReversingLabs: Detection: 41%
              Multi AV Scanner detection for submitted fileShow sources
              Source: .exeVirustotal: Detection: 55%Perma Link
              Source: .exeReversingLabs: Detection: 41%
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\apQsEpT.exeJoe Sandbox ML: detected
              Machine Learning detection for sampleShow sources
              Source: .exeJoe Sandbox ML: detected
              Source: 4.2. .exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
              Source: global trafficTCP traffic: 192.168.2.3:49746 -> 85.25.186.211:587
              Source: Joe Sandbox ViewASN Name: GD-EMEA-DC-SXB1DE GD-EMEA-DC-SXB1DE
              Source: global trafficTCP traffic: 192.168.2.3:49746 -> 85.25.186.211:587
              Source: unknownDNS traffic detected: queries for: mail.persec.gr
              Source: .exe, 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: .exe, 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
              Source: .exe, 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmpString found in binary or memory: http://GMgRDJ.com
              Source: .exe, 00000004.00000002.480867921.0000000002CE3000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: .exe, 00000004.00000002.483465380.0000000006570000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: .exe, 00000004.00000002.480867921.0000000002CE3000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
              Source: .exe, 00000004.00000002.480867921.0000000002CE3000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
              Source: .exe, 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmpString found in binary or memory: http://dIhLHGXisr.ne
              Source: .exe, 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmpString found in binary or memory: http://dIhLHGXisr.net
              Source: .exe, 00000004.00000003.432962878.0000000000994000.00000004.00000001.sdmpString found in binary or memory: http://dIhLHGXisr.net1-5-21-3853321935-2125563209-4053062332-1002_Classes
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: .exe, 00000004.00000002.480546013.0000000002C91000.00000004.00000001.sdmpString found in binary or memory: http://mail.persec.gr
              Source: .exe, 00000004.00000002.480867921.0000000002CE3000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: .exe, 00000004.00000002.480546013.0000000002C91000.00000004.00000001.sdmpString found in binary or memory: http://persec.gr
              Source: .exe, 00000000.00000002.227280957.0000000002851000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: .exe, 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
              Source: .exe, 00000000.00000002.228870931.00000000038F5000.00000004.00000001.sdmp, .exe, 00000004.00000002.475265979.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
              Source: .exe, 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
              Source: .exe, 00000004.00000002.480867921.0000000002CE3000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
              Source: .exe, 00000000.00000002.228870931.00000000038F5000.00000004.00000001.sdmp, .exe, 00000004.00000002.475265979.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
              Source: .exe, 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Contains functionality to register a low level keyboard hookShow sources
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E4085C SetWindowsHookExW 0000000D,00000000,?,?
              Installs a global keyboard hookShow sources
              Source: C:\Users\user\Desktop\ .exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\ .exe
              Source: C:\Users\user\Desktop\ .exeWindow created: window name: CLIPBRDWNDCLASS

              System Summary:

              barindex
              Source: C:\Users\user\Desktop\ .exeCode function: 0_2_025F0468
              Source: C:\Users\user\Desktop\ .exeCode function: 0_2_025F3251
              Source: C:\Users\user\Desktop\ .exeCode function: 0_2_025F1792
              Source: C:\Users\user\Desktop\ .exeCode function: 0_2_027228AC
              Source: C:\Users\user\Desktop\ .exeCode function: 0_2_027228A0
              Source: C:\Users\user\Desktop\ .exeCode function: 0_2_02721458
              Source: C:\Users\user\Desktop\ .exeCode function: 0_2_02721E10
              Source: C:\Users\user\Desktop\ .exeCode function: 0_2_02721E02
              Source: C:\Users\user\Desktop\ .exeCode function: 0_2_02723C90
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E06878
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E06140
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E03664
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E05B08
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E10C58
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E10818
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E135C0
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E1A638
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E1C9A0
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E1CD78
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E172B8
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E12BE8
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E2D0D9
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E299D8
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E236C0
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E22E30
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E21408
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E2ABA0
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E48680
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E4C3B0
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E41368
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E23A90
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E20040
              Source: .exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: apQsEpT.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: .exeBinary or memory string: OriginalFilename vs .exe
              Source: .exe, 00000000.00000002.228870931.00000000038F5000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKHMZrpfhVHbupBTDgZUuRpVOwPEewuQgjBGfHK.exe4 vs .exe
              Source: .exe, 00000000.00000002.228870931.00000000038F5000.00000004.00000001.sdmpBinary or memory string: OriginalFilename-^lQ.exe2 vs .exe
              Source: .exe, 00000000.00000002.227599432.000000000289E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs .exe
              Source: .exe, 00000000.00000002.229849312.00000000052D0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs .exe
              Source: .exe, 00000000.00000002.229849312.00000000052D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs .exe
              Source: .exe, 00000000.00000002.229717040.00000000051D0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs .exe
              Source: .exe, 00000000.00000002.233680197.000000000D840000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs .exe
              Source: .exeBinary or memory string: OriginalFilename vs .exe
              Source: .exe, 00000004.00000002.475265979.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameKHMZrpfhVHbupBTDgZUuRpVOwPEewuQgjBGfHK.exe4 vs .exe
              Source: .exe, 00000004.00000002.475414380.0000000000512000.00000002.00020000.sdmpBinary or memory string: OriginalFilename-^lQ.exe2 vs .exe
              Source: .exe, 00000004.00000002.483118570.0000000005C40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs .exe
              Source: .exe, 00000004.00000002.475845812.0000000000938000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs .exe
              Source: .exe, 00000004.00000002.477070900.0000000000D30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs .exe
              Source: .exeBinary or memory string: OriginalFilename-^lQ.exe2 vs .exe
              Source: .exe, type: SAMPLEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
              Source: C:\Users\user\AppData\Roaming\apQsEpT.exe, type: DROPPEDMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
              Source: 4.2. .exe.510000.1.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
              Source: 4.0. .exe.510000.0.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
              Source: 0.0. .exe.320000.0.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
              Source: 0.2. .exe.320000.0.unpack, type: UNPACKEDPEMatched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
              Source: .exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: apQsEpT.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/4@2/1
              Source: C:\Users\user\Desktop\ .exeFile created: C:\Users\user\AppData\Roaming\apQsEpT.exeJump to behavior
              Source: C:\Users\user\Desktop\ .exeMutant created: \Sessions\1\BaseNamedObjects\BrbtmaRrqYfXTg
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6612:120:WilError_01
              Source: C:\Users\user\Desktop\ .exeFile created: C:\Users\user\AppData\Local\Temp\tmp88EB.tmpJump to behavior
              Source: .exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\ .exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\ .exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\ .exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\ .exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ .exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ .exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\ .exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: C:\Users\user\Desktop\ .exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\ .exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\ .exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: .exeVirustotal: Detection: 55%
              Source: .exeReversingLabs: Detection: 41%
              Source: C:\Users\user\Desktop\ .exeFile read: C:\Users\user\Desktop\ .exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\ .exe 'C:\Users\user\Desktop\ .exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\apQsEpT' /XML 'C:\Users\user\AppData\Local\Temp\tmp88EB.tmp'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\Desktop\ .exe {path}
              Source: C:\Users\user\Desktop\ .exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\apQsEpT' /XML 'C:\Users\user\AppData\Local\Temp\tmp88EB.tmp'
              Source: C:\Users\user\Desktop\ .exeProcess created: C:\Users\user\Desktop\ .exe {path}
              Source: C:\Users\user\Desktop\ .exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
              Source: C:\Users\user\Desktop\ .exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
              Source: C:\Users\user\Desktop\ .exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
              Source: .exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: .exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E0B55F push edi; retn 0000h
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E2811A push 8BFFFFFFh; retf
              Source: initial sampleStatic PE information: section name: .text entropy: 7.8624495092
              Source: initial sampleStatic PE information: section name: .text entropy: 7.8624495092
              Source: C:\Users\user\Desktop\ .exeFile created: \ .exe
              Source: C:\Users\user\Desktop\ .exeFile created: \ .exe
              Source: C:\Users\user\Desktop\ .exeFile created: C:\Users\user\AppData\Roaming\apQsEpT.exeJump to dropped file

              Boot Survival:

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\apQsEpT' /XML 'C:\Users\user\AppData\Local\Temp\tmp88EB.tmp'

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Icon mismatch, binary includes an icon from a different legit application in order to fool usersShow sources
              Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: icon (2112).png
              Source: C:\Users\user\Desktop\ .exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ .exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion:

              barindex
              Yara detected AntiVM_3Show sources
              Source: Yara matchFile source: 00000000.00000002.227599432.000000000289E000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: .exe PID: 6444, type: MEMORY
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\ .exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\ .exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: .exe, 00000000.00000002.227599432.000000000289E000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
              Source: .exe, 00000000.00000002.227599432.000000000289E000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: C:\Users\user\Desktop\ .exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: C:\Users\user\Desktop\ .exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\ .exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\ .exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\ .exeWindow / User API: threadDelayed 777
              Source: C:\Users\user\Desktop\ .exe TID: 6568Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 6448Thread sleep time: -41500s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 6468Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -2767011611056431s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7020Thread sleep count: 93 > 30
              Source: C:\Users\user\Desktop\ .exe TID: 7020Thread sleep count: 777 > 30
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -59500s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -59314s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -58406s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -87000s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -57594s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -57314s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -56500s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -83721s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -83391s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -83109s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -54906s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -54500s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -54314s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -53814s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -53594s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -53406s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -53000s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -78750s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -51906s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -51406s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -76500s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -50814s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -50094s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -49220s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -73500s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -48814s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -48594s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -47500s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -47314s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -46814s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -46594s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -45720s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -45500s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -45314s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -45094s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -44906s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -44000s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -43814s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -43314s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -43094s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -42906s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -42500s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -42220s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -42000s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -41594s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -40500s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -39594s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -38720s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -38500s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -38314s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -38094s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -37000s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -36814s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -36314s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -35220s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -35000s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -34814s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -34314s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -34094s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -50109s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -33220s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -32000s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -31094s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -30906s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -30720s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -39471s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -34221s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -60000s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -51814s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -51594s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -75750s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -49406s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -48500s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -48094s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -47406s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -70500s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -45906s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -44814s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -44594s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -43906s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -43500s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -41906s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -41314s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -41094s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -40406s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -40000s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -39500s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -38906s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -38406s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -38000s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -37814s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -37594s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -36906s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -36500s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -36000s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -35406s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -34906s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -34500s >= -30000s
              Source: C:\Users\user\Desktop\ .exe TID: 7016Thread sleep time: -33000s >= -30000s
              Source: C:\Users\user\Desktop\ .exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\ .exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\ .exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\ .exeLast function: Thread delayed
              Source: .exe, 00000000.00000002.228771700.0000000002BFF000.00000004.00000001.sdmpBinary or memory string: VMware
              Source: .exe, 00000000.00000002.228771700.0000000002BFF000.00000004.00000001.sdmpBinary or memory string: vmware
              Source: .exe, 00000000.00000002.228771700.0000000002BFF000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: .exe, 00000000.00000002.228771700.0000000002BFF000.00000004.00000001.sdmpBinary or memory string: VMWARE
              Source: .exe, 00000000.00000002.227599432.000000000289E000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: .exe, 00000000.00000002.227599432.000000000289E000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
              Source: .exe, 00000000.00000002.227599432.000000000289E000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
              Source: .exe, 00000000.00000002.228771700.0000000002BFF000.00000004.00000001.sdmpBinary or memory string: VMware
              Source: .exe, 00000000.00000002.227599432.000000000289E000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
              Source: .exe, 00000000.00000002.228771700.0000000002BFF000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
              Source: .exe, 00000004.00000002.476639062.0000000000B42000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\ .exeProcess information queried: ProcessInformation
              Source: C:\Users\user\Desktop\ .exeCode function: 4_2_00E00A70 LdrInitializeThunk,KiUserExceptionDispatcher,KiUserExceptionDispatcher,KiUserExceptionDispatcher,
              Source: C:\Users\user\Desktop\ .exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\ .exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\ .exeMemory allocated: page read and write | page guard
              Source: C:\Users\user\Desktop\ .exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\apQsEpT' /XML 'C:\Users\user\AppData\Local\Temp\tmp88EB.tmp'
              Source: C:\Users\user\Desktop\ .exeProcess created: C:\Users\user\Desktop\ .exe {path}
              Source: .exe, 00000004.00000002.477679550.0000000001220000.00000002.00000001.sdmpBinary or memory string: Program Manager
              Source: .exe, 00000004.00000002.477679550.0000000001220000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: .exe, 00000004.00000002.477679550.0000000001220000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: .exe, 00000004.00000002.477679550.0000000001220000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Users\user\Desktop\ .exe VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Users\user\Desktop\ .exe VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\Desktop\ .exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\Desktop\ .exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

              Stealing of Sensitive Information:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000004.00000002.475265979.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.228870931.00000000038F5000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.229056659.0000000003AF5000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: .exe PID: 6752, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: .exe PID: 6444, type: MEMORY
              Source: Yara matchFile source: 4.2. .exe.400000.0.unpack, type: UNPACKEDPE
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\ .exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\ .exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
              Source: C:\Users\user\Desktop\ .exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
              Source: C:\Users\user\Desktop\ .exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
              Tries to harvest and steal ftp login credentialsShow sources
              Source: C:\Users\user\Desktop\ .exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
              Source: C:\Users\user\Desktop\ .exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
              Tries to steal Mail credentials (via file access)Show sources
              Source: C:\Users\user\Desktop\ .exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: C:\Users\user\Desktop\ .exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: C:\Users\user\Desktop\ .exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
              Source: C:\Users\user\Desktop\ .exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
              Source: Yara matchFile source: 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: .exe PID: 6752, type: MEMORY

              Remote Access Functionality:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000004.00000002.475265979.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.228870931.00000000038F5000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.229056659.0000000003AF5000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: .exe PID: 6752, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: .exe PID: 6444, type: MEMORY
              Source: Yara matchFile source: 4.2. .exe.400000.0.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection12Disable or Modify Tools1OS Credential Dumping2File and Directory Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Obfuscated Files or Information2Input Capture21System Information Discovery114Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Software Packing3Credentials in Registry1Query Registry1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Masquerading11NTDSSecurity Software Discovery321Distributed Component Object ModelInput Capture21Scheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptVirtualization/Sandbox Evasion14LSA SecretsVirtualization/Sandbox Evasion14SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonProcess Injection12Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              .exe56%VirustotalBrowse
              .exe42%ReversingLabsByteCode-MSIL.Trojan.Taskun
              .exe100%AviraTR/Kryptik.uduze
              .exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\apQsEpT.exe100%AviraTR/Kryptik.uduze
              C:\Users\user\AppData\Roaming\apQsEpT.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\apQsEpT.exe42%ReversingLabsByteCode-MSIL.Trojan.Taskun

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              4.2. .exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

              Domains

              SourceDetectionScannerLabelLink
              persec.gr0%VirustotalBrowse
              mail.persec.gr0%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              https://sectigo.com/CPS00%URL Reputationsafe
              https://sectigo.com/CPS00%URL Reputationsafe
              https://sectigo.com/CPS00%URL Reputationsafe
              https://sectigo.com/CPS00%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              http://GMgRDJ.com0%Avira URL Cloudsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://mail.persec.gr0%Avira URL Cloudsafe
              http://dIhLHGXisr.net0%Avira URL Cloudsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://dIhLHGXisr.ne0%Avira URL Cloudsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
              https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
              https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://persec.gr0%Avira URL Cloudsafe
              http://dIhLHGXisr.net1-5-21-3853321935-2125563209-4053062332-1002_Classes0%Avira URL Cloudsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              persec.gr
              85.25.186.211
              truetrueunknown
              mail.persec.gr
              unknown
              unknowntrueunknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://127.0.0.1:HTTP/1.1 .exe, 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              low
              http://www.apache.org/licenses/LICENSE-2.0 .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpfalse
                high
                http://www.fontbureau.com .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpfalse
                  high
                  http://www.fontbureau.com/designersG .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpfalse
                    high
                    http://DynDns.comDynDNS .exe, 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    https://sectigo.com/CPS0 .exe, 00000004.00000002.480867921.0000000002CE3000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://www.fontbureau.com/designers/? .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpfalse
                      high
                      http://www.founder.com.cn/cn/bThe .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha .exe, 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.fontbureau.com/designers? .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpfalse
                        high
                        http://GMgRDJ.com .exe, 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://www.tiro.com .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://mail.persec.gr .exe, 00000004.00000002.480546013.0000000002C91000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://www.fontbureau.com/designers .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpfalse
                          high
                          http://dIhLHGXisr.net .exe, 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmptrue
                          • Avira URL Cloud: safe
                          unknown
                          http://www.goodfont.co.kr .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://dIhLHGXisr.ne .exe, 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmptrue
                          • Avira URL Cloud: safe
                          unknown
                          http://www.carterandcone.coml .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          https://api.ipify.orgGETMozilla/5.0 .exe, 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.sajatypeworks.com .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.typography.netD .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.fontbureau.com/designers/cabarga.htmlN .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpfalse
                            high
                            http://www.founder.com.cn/cn/cThe .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://www.galapagosdesign.com/staff/dennis.htm .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://fontfabrik.com .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://www.founder.com.cn/cn .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://www.fontbureau.com/designers/frere-jones.html .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpfalse
                              high
                              https://api.telegram.org/bot%telegramapi%/ .exe, 00000000.00000002.228870931.00000000038F5000.00000004.00000001.sdmp, .exe, 00000004.00000002.475265979.0000000000402000.00000040.00000001.sdmpfalse
                                high
                                http://www.jiyu-kobo.co.jp/ .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.galapagosdesign.com/DPlease .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.fontbureau.com/designers8 .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpfalse
                                  high
                                  http://persec.gr .exe, 00000004.00000002.480546013.0000000002C91000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://dIhLHGXisr.net1-5-21-3853321935-2125563209-4053062332-1002_Classes .exe, 00000004.00000003.432962878.0000000000994000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  low
                                  http://www.fonts.com .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpfalse
                                    high
                                    http://www.sandoll.co.kr .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://www.urwpp.deDPlease .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://www.zhongyicts.com.cn .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name .exe, 00000000.00000002.227280957.0000000002851000.00000004.00000001.sdmpfalse
                                      high
                                      http://www.sakkal.com .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x .exe, 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmpfalse
                                        high
                                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip .exe, 00000000.00000002.228870931.00000000038F5000.00000004.00000001.sdmp, .exe, 00000004.00000002.475265979.0000000000402000.00000040.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown

                                        Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public

                                        IPDomainCountryFlagASNASN NameMalicious
                                        85.25.186.211
                                        unknownGermany
                                        8972GD-EMEA-DC-SXB1DEtrue

                                        General Information

                                        Joe Sandbox Version:31.0.0 Red Diamond
                                        Analysis ID:321141
                                        Start date:20.11.2020
                                        Start time:12:35:22
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 7m 47s
                                        Hypervisor based Inspection enabled:false
                                        Report type:light
                                        Sample file name: .exe
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                        Number of analysed new started processes analysed:23
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Detection:MAL
                                        Classification:mal100.troj.spyw.evad.winEXE@6/4@2/1
                                        EGA Information:Failed
                                        HDC Information:
                                        • Successful, ratio: 0.6% (good quality ratio 0.6%)
                                        • Quality average: 60.4%
                                        • Quality standard deviation: 23.4%
                                        HCA Information:
                                        • Successful, ratio: 100%
                                        • Number of executed functions: 0
                                        • Number of non-executed functions: 0
                                        Cookbook Comments:
                                        • Adjust boot time
                                        • Enable AMSI
                                        • Found application associated with file extension: .exe
                                        Warnings:
                                        Show All
                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                        • Excluded IPs from analysis (whitelisted): 104.43.139.144, 52.147.198.201, 104.43.193.48, 104.75.88.60, 51.104.139.180, 20.54.26.129, 205.185.216.42, 205.185.216.10, 40.67.251.132, 95.101.22.134, 95.101.22.125, 204.79.197.200, 13.107.21.200
                                        • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, par02p.wns.notify.windows.com.akadns.net, db5p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, www-bing-com.dual-a-0001.a-msedge.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, db3p-ris-pf-prod-atm.trafficmanager.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, cds.d2s7q6s2.hwcdn.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, a-0001.a-afdentry.net.trafficmanager.net
                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        12:36:17API Interceptor794x Sleep call for process: .exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        No context

                                        Domains

                                        No context

                                        ASN

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        GD-EMEA-DC-SXB1DEmalware.htmlGet hashmaliciousBrowse
                                        • 188.93.15.103
                                        http://your-prize-ready-lkz.live/?u=1nup806&o=0wywy2l&t=k2Dr_USAtest_PCGet hashmaliciousBrowse
                                        • 188.138.111.121
                                        8miw6WNHCt.exeGet hashmaliciousBrowse
                                        • 217.172.179.54
                                        gGTQ8uae5s.exeGet hashmaliciousBrowse
                                        • 217.172.179.54
                                        ENJ5AB3B0x.exeGet hashmaliciousBrowse
                                        • 217.172.179.54
                                        0P0cZbXEbK.exeGet hashmaliciousBrowse
                                        • 217.172.179.54
                                        Tk8cA6bHRS.exeGet hashmaliciousBrowse
                                        • 217.172.179.54
                                        fTAYoI22iY.exeGet hashmaliciousBrowse
                                        • 217.172.179.54
                                        start.exeGet hashmaliciousBrowse
                                        • 85.25.213.211
                                        uvjAwriS1c.exeGet hashmaliciousBrowse
                                        • 217.172.179.54
                                        vAstEpls9R.exeGet hashmaliciousBrowse
                                        • 217.172.179.54
                                        hmB9yvFv40.exeGet hashmaliciousBrowse
                                        • 217.172.179.54
                                        ZYhucZndrm.exeGet hashmaliciousBrowse
                                        • 217.172.179.54
                                        4WD28ZoLXN.exeGet hashmaliciousBrowse
                                        • 217.172.179.54
                                        VLmFsICPqL.exeGet hashmaliciousBrowse
                                        • 217.172.179.54
                                        Zped7c3dam.exeGet hashmaliciousBrowse
                                        • 217.172.179.54
                                        idWMSrWvoE.exeGet hashmaliciousBrowse
                                        • 87.230.25.43
                                        cK2ClsvtJE.exeGet hashmaliciousBrowse
                                        • 87.230.25.43
                                        AXZFXiJCj3.exeGet hashmaliciousBrowse
                                        • 87.230.25.43
                                        lHuFdWpoMA.exeGet hashmaliciousBrowse
                                        • 87.230.25.43

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ .exe.log
                                        Process:C:\Users\user\Desktop\ .exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1301
                                        Entropy (8bit):5.345637324625647
                                        Encrypted:false
                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4VE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz5
                                        MD5:6C42AAF2F2FABAD2BAB70543AE48CEDB
                                        SHA1:8552031F83C078FE1C035191A32BA43261A63DA9
                                        SHA-256:51D07DD061EA9665DA070B95A4AC2AC17E20524E30BF6A0DA8381C2AF29CA967
                                        SHA-512:014E89857B811765EA7AA0B030AB04A2DA1957571608C4512EC7662F6A4DCE8B0409626624DABC96CBFF079E7F0F4A916E6F49C789E00B6E46AD37C36C806DCA
                                        Malicious:true
                                        Reputation:moderate, very likely benign file
                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                        C:\Users\user\AppData\Local\Temp\tmp88EB.tmp
                                        Process:C:\Users\user\Desktop\ .exe
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1640
                                        Entropy (8bit):5.184896527826423
                                        Encrypted:false
                                        SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBxBtn:cbh47TlNQ//rydbz9I3YODOLNdq3n
                                        MD5:6EAB4206B94D6528E932EC3C4A938DCC
                                        SHA1:20BA86B7BC00D2BDD0FEDAC3C5CA48D7B8852CB0
                                        SHA-256:5A05D19A5B06DD9FCFBD0A0A4229A8472721905D99841944B0792E0AFC2A2D47
                                        SHA-512:644E57F4BB285CECEE145FD85513016EE55CE10AA0AD7A3E9EFF25F3A6C833D6832A3AAC4B3208199B1F64D48D47B3B638A15906EE5EA548FC667D36B3B142E7
                                        Malicious:true
                                        Reputation:low
                                        Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                        C:\Users\user\AppData\Roaming\51qhj2rq.aji\Chrome\Default\Cookies
                                        Process:C:\Users\user\Desktop\ .exe
                                        File Type:SQLite 3.x database, last written using SQLite version 3032001
                                        Category:dropped
                                        Size (bytes):20480
                                        Entropy (8bit):0.6970840431455908
                                        Encrypted:false
                                        SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
                                        MD5:00681D89EDDB6AD25E6F4BD2E66C61C6
                                        SHA1:14B2FBFB460816155190377BBC66AB5D2A15F7AB
                                        SHA-256:8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
                                        SHA-512:159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
                                        Malicious:false
                                        Reputation:moderate, very likely benign file
                                        Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Roaming\apQsEpT.exe
                                        Process:C:\Users\user\Desktop\ .exe
                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):561664
                                        Entropy (8bit):7.555510842518211
                                        Encrypted:false
                                        SSDEEP:12288:Y19HzS46VFkxNjZ53CBc8860iI614WNHJ6vPdJxxcaOq1MUCTdAA:Y19OzVFkxNjLyJ8ytHAvPdWA
                                        MD5:4C0960A22153523B2626BFF364CC7073
                                        SHA1:8596C7561F3668D544EE5CF24AC19C1C9DB6C616
                                        SHA-256:C9442156B26B8FE68A84028F85861191BFF85680B1460D26B9491CBC3F3AC230
                                        SHA-512:7CB0051E450BF16547B891309C8E51E51B41F3F8F95EE2F15FC5DAC0B3DA6683B74EC65942CEA03CD03F60BEDFFA2760D5B7754EB73537CFCDDAABF1B1BB68ED
                                        Malicious:true
                                        Yara Hits:
                                        • Rule: MAL_RANSOM_COVID19_Apr20_1, Description: Detects ransomware distributed in COVID-19 theme, Source: C:\Users\user\AppData\Roaming\apQsEpT.exe, Author: Florian Roth
                                        Antivirus:
                                        • Antivirus: Avira, Detection: 100%
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 42%
                                        Reputation:low
                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_............................N.... ... ....@.. ....................................@.....................................S.... ............................................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc..............................@..B................0.......H........B......................................................................h........)......Z.........H...@.#....t........C(...HB.p..=.| ...98..:.%:2xRw...wG.(F"....M9b.].\4`7...q...V..K.....m..i.\...B&....z...l...k......)_...q..l7.z..II..G....el..$..Y....Zb['A?....y.M..9.y.|.`F/..N..T2....E...V.o..'...e.0..7...@..q1.~d.s[....b.T7|..1.....L.2I...$.rnB..9.+j..(..(......Sgz..hd....#I...=..46..J._D.t.1.V.d....{?..1.`.A...:...L......*!M.}p...<2..<...n.M..

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):7.555510842518211
                                        TrID:
                                        • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                        • Win32 Executable (generic) a (10002005/4) 49.97%
                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                        • DOS Executable Generic (2002/1) 0.01%
                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                        File name: .exe
                                        File size:561664
                                        MD5:4c0960a22153523b2626bff364cc7073
                                        SHA1:8596c7561f3668d544ee5cf24ac19c1c9db6c616
                                        SHA256:c9442156b26b8fe68a84028f85861191bff85680b1460d26b9491cbc3f3ac230
                                        SHA512:7cb0051e450bf16547b891309c8e51e51b41f3f8f95ee2f15fc5dac0b3da6683b74ec65942cea03cd03f60bedffa2760d5b7754eb73537cfcddaabf1b1bb68ed
                                        SSDEEP:12288:Y19HzS46VFkxNjZ53CBc8860iI614WNHJ6vPdJxxcaOq1MUCTdAA:Y19OzVFkxNjLyJ8ytHAvPdWA
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_............................N.... ... ....@.. ....................................@................................

                                        File Icon

                                        Icon Hash:6eecccccd6d2f2f2

                                        Static PE Info

                                        General

                                        Entrypoint:0x471e4e
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                        Time Stamp:0x5FB72EF8 [Fri Nov 20 02:50:32 2020 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:v4.0.30319
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                        Entrypoint Preview

                                        Instruction
                                        jmp dword ptr [00402000h]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x71df80x53.text
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x720000x18d18.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x8c0000xc.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x20000x6fe540x70000False0.898808070592data7.8624495092IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                        .rsrc0x720000x18d180x18e00False0.14752473304data4.30896630278IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0x8c0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountry
                                        RT_ICON0x722200x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                        RT_ICON0x747c80x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                                        RT_ICON0x758700x468GLS_BINARY_LSB_FIRST
                                        RT_ICON0x75cd80x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                        RT_ICON0x79f000x10828dBase III DBT, version number 0, next free block index 40
                                        RT_GROUP_ICON0x8a7280x4cdata
                                        RT_GROUP_ICON0x8a7740x14data
                                        RT_VERSION0x8a7880x39edata
                                        RT_MANIFEST0x8ab280x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                        Imports

                                        DLLImport
                                        mscoree.dll_CorExeMain

                                        Version Infos

                                        DescriptionData
                                        Translation0x0000 0x04b0
                                        LegalCopyrightLes loups-garous de Thiercelieux 1998
                                        Assembly Version27.0.0.0
                                        InternalName.exe
                                        FileVersion11.0.0.0
                                        CompanyNameLes loups-garous de Thiercelieux
                                        LegalTrademarks
                                        CommentsJeu de la barbichette
                                        ProductNamePtanque
                                        ProductVersion11.0.0.0
                                        FileDescriptionPtanque
                                        OriginalFilename.exe

                                        Network Behavior

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Nov 20, 2020 12:38:00.977946997 CET49746587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:00.997334003 CET5874974685.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:00.997428894 CET49746587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:01.926336050 CET5874974685.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:01.926994085 CET49746587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:01.946588993 CET5874974685.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:01.946995974 CET49746587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:01.968089104 CET5874974685.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:02.023704052 CET49746587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:02.045360088 CET49746587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:02.072175980 CET5874974685.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:02.072227001 CET5874974685.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:02.072264910 CET5874974685.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:02.072293043 CET5874974685.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:02.072474957 CET49746587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:02.073900938 CET5874974685.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:02.117549896 CET49746587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:02.123652935 CET49746587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:02.143440962 CET5874974685.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:02.195578098 CET49746587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:02.466299057 CET49746587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:02.486628056 CET5874974685.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:02.488738060 CET49746587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:02.509500980 CET5874974685.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:02.510548115 CET49746587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:02.553603888 CET5874974685.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:02.554804087 CET49746587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:02.574997902 CET5874974685.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:02.575711012 CET49746587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:02.618599892 CET5874974685.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:02.619195938 CET49746587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:02.639064074 CET5874974685.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:02.642260075 CET49746587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:02.642452955 CET49746587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:02.643198967 CET49746587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:02.643356085 CET49746587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:02.643507004 CET49746587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:02.643609047 CET49746587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:02.643724918 CET49746587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:02.662549973 CET5874974685.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:02.662569046 CET5874974685.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:02.663698912 CET5874974685.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:02.663716078 CET5874974685.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:02.663774014 CET5874974685.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:02.663813114 CET5874974685.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:02.663898945 CET5874974685.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:02.671686888 CET5874974685.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:02.725683928 CET49746587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:03.741187096 CET49746587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:03.761964083 CET5874974685.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:03.762187004 CET49746587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:03.903204918 CET49746587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:03.904203892 CET49747587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:03.924031973 CET5874974785.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:03.924173117 CET49747587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:04.842757940 CET5874974785.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:04.845351934 CET49747587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:04.923455954 CET5874974785.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:04.925406933 CET49747587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:04.947405100 CET5874974785.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:04.949417114 CET49747587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:04.973270893 CET5874974785.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:04.973308086 CET5874974785.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:04.973361969 CET5874974785.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:04.973392010 CET5874974785.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:04.973479986 CET49747587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:04.973524094 CET49747587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:04.974612951 CET5874974785.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:04.977596045 CET49747587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:04.997344017 CET5874974785.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:05.002207041 CET49747587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:05.021641016 CET5874974785.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:05.025597095 CET49747587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:05.045763969 CET5874974785.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:05.048933983 CET49747587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:05.077080011 CET5874974785.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:05.077486038 CET49747587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:05.097053051 CET5874974785.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:05.097573996 CET49747587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:05.119723082 CET5874974785.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:05.121519089 CET49747587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:05.141120911 CET5874974785.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:05.145776033 CET49747587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:05.145817995 CET49747587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:05.145965099 CET49747587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:05.146074057 CET49747587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:05.146205902 CET49747587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:05.146271944 CET49747587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:05.146338940 CET49747587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:05.146420956 CET49747587192.168.2.385.25.186.211
                                        Nov 20, 2020 12:38:05.166944027 CET5874974785.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:05.167006969 CET5874974785.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:05.167032957 CET5874974785.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:05.167191029 CET5874974785.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:05.167347908 CET5874974785.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:05.167506933 CET5874974785.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:05.167700052 CET5874974785.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:05.168315887 CET5874974785.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:05.196713924 CET5874974785.25.186.211192.168.2.3
                                        Nov 20, 2020 12:38:05.242696047 CET49747587192.168.2.385.25.186.211

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Nov 20, 2020 12:36:08.970140934 CET6511053192.168.2.38.8.8.8
                                        Nov 20, 2020 12:36:09.005853891 CET53651108.8.8.8192.168.2.3
                                        Nov 20, 2020 12:36:13.681493998 CET5836153192.168.2.38.8.8.8
                                        Nov 20, 2020 12:36:14.671353102 CET5836153192.168.2.38.8.8.8
                                        Nov 20, 2020 12:36:14.717644930 CET53583618.8.8.8192.168.2.3
                                        Nov 20, 2020 12:36:15.517726898 CET6349253192.168.2.38.8.8.8
                                        Nov 20, 2020 12:36:15.544877052 CET53634928.8.8.8192.168.2.3
                                        Nov 20, 2020 12:36:17.256653070 CET6083153192.168.2.38.8.8.8
                                        Nov 20, 2020 12:36:17.292351961 CET53608318.8.8.8192.168.2.3
                                        Nov 20, 2020 12:36:17.983359098 CET6010053192.168.2.38.8.8.8
                                        Nov 20, 2020 12:36:18.019092083 CET53601008.8.8.8192.168.2.3
                                        Nov 20, 2020 12:36:18.801959991 CET5319553192.168.2.38.8.8.8
                                        Nov 20, 2020 12:36:18.829180956 CET53531958.8.8.8192.168.2.3
                                        Nov 20, 2020 12:36:21.611474991 CET5014153192.168.2.38.8.8.8
                                        Nov 20, 2020 12:36:21.638576984 CET53501418.8.8.8192.168.2.3
                                        Nov 20, 2020 12:36:23.167923927 CET5302353192.168.2.38.8.8.8
                                        Nov 20, 2020 12:36:23.205724955 CET53530238.8.8.8192.168.2.3
                                        Nov 20, 2020 12:36:24.022481918 CET4956353192.168.2.38.8.8.8
                                        Nov 20, 2020 12:36:24.049583912 CET53495638.8.8.8192.168.2.3
                                        Nov 20, 2020 12:36:24.834919930 CET5135253192.168.2.38.8.8.8
                                        Nov 20, 2020 12:36:24.862096071 CET53513528.8.8.8192.168.2.3
                                        Nov 20, 2020 12:36:25.474847078 CET5934953192.168.2.38.8.8.8
                                        Nov 20, 2020 12:36:25.502132893 CET53593498.8.8.8192.168.2.3
                                        Nov 20, 2020 12:36:26.763196945 CET5708453192.168.2.38.8.8.8
                                        Nov 20, 2020 12:36:26.798861027 CET53570848.8.8.8192.168.2.3
                                        Nov 20, 2020 12:36:27.468164921 CET5882353192.168.2.38.8.8.8
                                        Nov 20, 2020 12:36:27.495323896 CET53588238.8.8.8192.168.2.3
                                        Nov 20, 2020 12:36:29.045761108 CET5756853192.168.2.38.8.8.8
                                        Nov 20, 2020 12:36:29.072999954 CET53575688.8.8.8192.168.2.3
                                        Nov 20, 2020 12:36:31.155839920 CET5054053192.168.2.38.8.8.8
                                        Nov 20, 2020 12:36:31.193155050 CET53505408.8.8.8192.168.2.3
                                        Nov 20, 2020 12:36:39.031672955 CET5436653192.168.2.38.8.8.8
                                        Nov 20, 2020 12:36:39.069062948 CET53543668.8.8.8192.168.2.3
                                        Nov 20, 2020 12:36:40.108289003 CET5303453192.168.2.38.8.8.8
                                        Nov 20, 2020 12:36:40.135490894 CET53530348.8.8.8192.168.2.3
                                        Nov 20, 2020 12:36:55.898308039 CET5776253192.168.2.38.8.8.8
                                        Nov 20, 2020 12:36:55.925498962 CET53577628.8.8.8192.168.2.3
                                        Nov 20, 2020 12:36:58.443252087 CET5543553192.168.2.38.8.8.8
                                        Nov 20, 2020 12:36:58.470415115 CET53554358.8.8.8192.168.2.3
                                        Nov 20, 2020 12:36:59.801129103 CET5071353192.168.2.38.8.8.8
                                        Nov 20, 2020 12:36:59.838229895 CET53507138.8.8.8192.168.2.3
                                        Nov 20, 2020 12:37:01.485153913 CET5613253192.168.2.38.8.8.8
                                        Nov 20, 2020 12:37:01.512511015 CET53561328.8.8.8192.168.2.3
                                        Nov 20, 2020 12:37:08.559787989 CET5898753192.168.2.38.8.8.8
                                        Nov 20, 2020 12:37:08.595463991 CET53589878.8.8.8192.168.2.3
                                        Nov 20, 2020 12:37:09.859808922 CET5657953192.168.2.38.8.8.8
                                        Nov 20, 2020 12:37:09.897067070 CET53565798.8.8.8192.168.2.3
                                        Nov 20, 2020 12:37:49.360775948 CET6063353192.168.2.38.8.8.8
                                        Nov 20, 2020 12:37:49.387875080 CET53606338.8.8.8192.168.2.3
                                        Nov 20, 2020 12:37:49.887111902 CET6129253192.168.2.38.8.8.8
                                        Nov 20, 2020 12:37:49.914369106 CET53612928.8.8.8192.168.2.3
                                        Nov 20, 2020 12:38:00.741539001 CET6361953192.168.2.38.8.8.8
                                        Nov 20, 2020 12:38:00.805789948 CET53636198.8.8.8192.168.2.3
                                        Nov 20, 2020 12:38:00.840876102 CET6493853192.168.2.38.8.8.8
                                        Nov 20, 2020 12:38:00.891570091 CET53649388.8.8.8192.168.2.3

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                        Nov 20, 2020 12:38:00.741539001 CET192.168.2.38.8.8.80xaf0fStandard query (0)mail.persec.grA (IP address)IN (0x0001)
                                        Nov 20, 2020 12:38:00.840876102 CET192.168.2.38.8.8.80xeec7Standard query (0)mail.persec.grA (IP address)IN (0x0001)

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                        Nov 20, 2020 12:38:00.805789948 CET8.8.8.8192.168.2.30xaf0fNo error (0)mail.persec.grpersec.grCNAME (Canonical name)IN (0x0001)
                                        Nov 20, 2020 12:38:00.805789948 CET8.8.8.8192.168.2.30xaf0fNo error (0)persec.gr85.25.186.211A (IP address)IN (0x0001)
                                        Nov 20, 2020 12:38:00.891570091 CET8.8.8.8192.168.2.30xeec7No error (0)mail.persec.grpersec.grCNAME (Canonical name)IN (0x0001)
                                        Nov 20, 2020 12:38:00.891570091 CET8.8.8.8192.168.2.30xeec7No error (0)persec.gr85.25.186.211A (IP address)IN (0x0001)

                                        SMTP Packets

                                        TimestampSource PortDest PortSource IPDest IPCommands
                                        Nov 20, 2020 12:38:01.926336050 CET5874974685.25.186.211192.168.2.3220-qla.angellight.com ESMTP Exim 4.93 #2 Fri, 20 Nov 2020 13:38:01 +0200
                                        220-We do not authorize the use of this system to transport unsolicited,
                                        220 and/or bulk e-mail.
                                        Nov 20, 2020 12:38:01.926994085 CET49746587192.168.2.385.25.186.211EHLO 760639
                                        Nov 20, 2020 12:38:01.946588993 CET5874974685.25.186.211192.168.2.3250-qla.angellight.com Hello 760639 [84.17.52.25]
                                        250-SIZE 52428800
                                        250-8BITMIME
                                        250-PIPELINING
                                        250-AUTH PLAIN LOGIN
                                        250-STARTTLS
                                        250 HELP
                                        Nov 20, 2020 12:38:01.946995974 CET49746587192.168.2.385.25.186.211STARTTLS
                                        Nov 20, 2020 12:38:01.968089104 CET5874974685.25.186.211192.168.2.3220 TLS go ahead
                                        Nov 20, 2020 12:38:04.842757940 CET5874974785.25.186.211192.168.2.3220-qla.angellight.com ESMTP Exim 4.93 #2 Fri, 20 Nov 2020 13:38:04 +0200
                                        220-We do not authorize the use of this system to transport unsolicited,
                                        220 and/or bulk e-mail.
                                        Nov 20, 2020 12:38:04.845351934 CET49747587192.168.2.385.25.186.211EHLO 760639
                                        Nov 20, 2020 12:38:04.923455954 CET5874974785.25.186.211192.168.2.3250-qla.angellight.com Hello 760639 [84.17.52.25]
                                        250-SIZE 52428800
                                        250-8BITMIME
                                        250-PIPELINING
                                        250-AUTH PLAIN LOGIN
                                        250-STARTTLS
                                        250 HELP
                                        Nov 20, 2020 12:38:04.925406933 CET49747587192.168.2.385.25.186.211STARTTLS
                                        Nov 20, 2020 12:38:04.947405100 CET5874974785.25.186.211192.168.2.3220 TLS go ahead

                                        Code Manipulations

                                        Statistics

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Start time:12:36:12
                                        Start date:20/11/2020
                                        Path:C:\Users\user\Desktop\ .exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Users\user\Desktop\ .exe'
                                        Imagebase:0x320000
                                        File size:561664 bytes
                                        MD5 hash:4C0960A22153523B2626BFF364CC7073
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.228870931.00000000038F5000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.227599432.000000000289E000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.229056659.0000000003AF5000.00000004.00000001.sdmp, Author: Joe Security
                                        Reputation:low

                                        General

                                        Start time:12:36:18
                                        Start date:20/11/2020
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\apQsEpT' /XML 'C:\Users\user\AppData\Local\Temp\tmp88EB.tmp'
                                        Imagebase:0xe20000
                                        File size:185856 bytes
                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Start time:12:36:18
                                        Start date:20/11/2020
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6b2800000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Start time:12:36:19
                                        Start date:20/11/2020
                                        Path:C:\Users\user\Desktop\ .exe
                                        Wow64 process (32bit):true
                                        Commandline:{path}
                                        Imagebase:0x510000
                                        File size:561664 bytes
                                        MD5 hash:4C0960A22153523B2626BFF364CC7073
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.475265979.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmp, Author: Joe Security
                                        Reputation:low

                                        Disassembly

                                        Code Analysis

                                        Reset < >